HackGuard aims to upend everything you know about Android security
The word “disruptive” is one of those terms tossed around so often that it has basically lost its strength as a descriptive tool. But every once in a while, an innovation comes along that addresses a problem so pernicious that it is worth pulling disruptive off the bench and into the game again.
The team over at the Palo Alto-based AppVision has developed a new security app that they have aptly named HackGuard to address one of the glaring issues affecting the Android OS ecosystem. While many fans of the Apple alternative have cited Google’s more open system as granting them increased freedom in using their devices, it has come with the price of lower security for users.
“We all agree that Android devices are insecure and they are getting hacked all the time,” AppVision’s CEO and CTO Norm Klapper tells Geektime, explaining that, “Often, they are being attacked at the binary/executable code level, which are some of the most dangerous attacks that can occur.”
It is true that on the code level, iOS programmers can make many of the same security mistakes found in Android apps that can lead to hacks on the device, owing in part to the perception that the App Store is more secure. That said, Android demands a lower security validation when uploading to the Play store than what is required by iOS for their store.
On Android, someone can actually sign the security certificate themselves, meaning that anyone — including miscreants — can upload a malware filled app to the store. With iOS, it is a hard and fast requirement that it be handled by a recognized agency.
Then there is the added issue that it is a multi-tenant ecosystem, so there are an increasing number of risk factors.
Studies have shown that Android is being attacked at a much higher rate. This is due to the fact that it is just easier to do, not so much because of the app’s coding itself but rather due to the overall security measures that the OS has taken.
This has played out in major malware penetrating the Android bubble with attacks like Heartbleed, SlemBunk, and HijackRAT. In the second case, the malware was able to access important data on the user’s device and attack banking apps with trojans, further compromising security.
Understanding the anti-virus conundrum
With all of this malicious code flying around the Internet, Android users have looked to anti-virus (AV) programs to help protect them against at least some of the risk. Apps from some of the biggest names like Kaspersky, AVG, and Norton are geared at protecting devices from malware by scanning for known viruses in the source code and attempting to identify any sketchy behavior.
Unfortunately, having an AV app is not enough to stop some of the most common attacks that target the executable (binary) code. A recent study by the security team over at Arxan Technologies has shown that 98% of apps were found to lack protection against attacks aimed at the executable level.
The reason for this is inherent in the way that Google has structured Android’s security. Their security methodology entails containing all their apps in a quarantine called a sandbox. The idea is that apps will be kept separate from the rest of the OS to keep any issues that they may have from affecting the entirety of the system.
Unlike Microsoft that has forged strong relationships with the major AV solution providers and allowed them to inspect programs that have been sandboxed, Google has refused to let anyone in to tamper with their safe space where the executable code lives.
This has had the overall effect of severely limiting the ability of AV makers to provide truly effective security for Android, leaving it more open to attacks.
Analyzing the anatomy of a hack
A device can become infected when a virus finds its way on a machine through basic methods like phishing or a zero day attack. In some cases, an attack targets devices that do not have the updated patches. It can be sent via an email, clicking on a link on a website, or malvertising (clicking on a banner ad). People have even introduced viruses using old school spy methods like spreading around USB thumb drives with the virus, leaving them for people to pick up.
“A virus by itself probably isn’t going to affect the binary, but it may install a C&C backdoor,” says Klapper. “What happens then is the hacker is granted remote access to the user’s machine. They can do a number of things like install a bot or go in and start affecting applications’ executable code. If they see that the user has a certain bank app, they can use a malicious pre-hacked version of this bank app and install it on the user’s machine. The next time the user runs their bank app, it will look the same, but in reality will send the hacker the user’s login credentials or other data.”
What happens after that is usually the guy who does the hack does not proceed to carry out the next stage of the hack himself, but sells the credentials on the black market.
In the case of attacks on banking, this process can be seen in how the bad guys stage their assault on an unsuspecting user as described by Tara Seals in an article on the site infosecurity. She describes how a user will be exposed to a virus on their device, inviting the attackers in. Hackers use a Faketoken to intercept confirmation codes that are sent by the bank before activating the Marcher that asks the user for their details for collection by the cyber miscreants.
“Malicious scripts are out there can circumvent both Android’s built-in security and any AV package that may be running on the device. They do this by gaining privileged access. There are holes in the system that allow this to happen,” explains Klapper, highlighting how apps that lack binary protection can be easily taken over by a hacker and the user’s data put at risk.
Revolutionizing Android security
In looking to tackle the issue of Google’s self imposed limitations, HackGuard’s team has developed revolutionary, patent pending technology to scan the binary code for malicious content.
They are able to access the executable code passively with the permission of the user, tracking it to determine if it’s been tampered with or is malware.
This feat is performed using two methods. HackGuard takes a “golden image” of what the code is supposed to look like on the device, using it for comparison. Every time the user goes to open the app, HackGuard checks the code to make sure that it has not been compromised.
The second is based on the idea that there is diversity in the world of Android that hackers can take advantage of for their attacks. One of the challenges that Apple does not have to deal with is the fact that there are multiple handset manufacturers, and a general lack of uniformity of the OS in use across users, requiring different versions of the code. HackGuard examines the manufacturer, OS, and carrier as variables that can change the executable codes. They look at how the code is deployed on similar users and can identify outliers within their individual categories that could have been compromised.
Arxan, Klapper says of the respected name in the security world, can protect the executable code in a similar way that they do, but it has to be implemented by the publisher. This involves a complicated process that can take up to two man months for publishers to implement. In contrast, HackGuard can be downloaded by the end user (one must sign up on their site) and begin protecting their most important apps in just seconds.
As we can see from numerous reports from places like Arxan and Checkmarx, the bottom line is that the vast majority of publishers have not provided a high enough level of protection on their apps.
HackGuard deals with the sandbox issue by running a sentinel that scans the designated apps and can sense when one of them is being launched, performing a fresh check on the executable code to make sure that it has not been compromised.
AVG and others check the source code coming in to see if it’s the right APK or if it has been compromised using signature analysis. However after an app has been installed, it can certainly still be compromised through pernicious binary code, as shown by many recent attacks.
A great example of this is the attacks on banking apps where a hacker is able to gain control of a device through a trojan. If they see that the user has a specific banking app that they can swap out for their infected version, changing it by injecting malicious binary code, then the user is none the wiser until after the damage has already been done.
Thoughts and concerns
HackGuard seems to address one of the most destructive problems in security by taking on the shortfall in binary protection. Still, you should not dump your current AV solutions and depend solely on HackGuard for keeping your device secure.
Apps like the ones from AVG provide important continuous security scans that play a big role in catching malicious attacks. Ideally, my impression from reviewing HackGuard and others is that it should be used in tandem with existing programs.
One example of this is that it cannot protect against attacks after the app has been launched and is already running. Klapper says that, “It protects the executable code that gets loaded by the OS initially, and then run. This is where the most prevalent type of attack occurs.”
However, “If there is a subsequent attack on the memory space that is being used by the currently running code (e.g. by buffer overflow from some other app), then no, we do not protect against this (in the current B2C version). However, we can detect aberrant behavior by the executing code, although this capability does require pre-deployment cooperation by the publisher.”
Klapper explains to Geektime that part of leaving control in the hands of users means that they will have to still decide how to deal with potentially dangerous apps. “The product only warns the user before launch,” says Klapper, “then allows them to (a) exit the app, (b) get info on the problem, or (c) simply ignore the warning and use the app anyway. It does not remove the app or take any action without specific user permission.”
This is worth keeping in mind for users of the app that at the end of the day, maintaining security is up to them to act responsibly.
There are also a couple of features that some users will find annoying and may limit the apps they choose to protect. For example, if your health app stores data locally, then HackGuard cannot provide protection for the app unless you are willing to back the data and then restore it. Klapper tells Geektime that their research has shown that less than 1% of apps store data locally, potentially making this less of an issue, but it’s still something that they will have to solve in the future.
Finally, their solution does not currently tell users what the contents of the APK are like other AV products, although Klapper says that this may become a possibility.
Steps for improving your mobile security
There are a couple of basic dos and don’ts when it comes to making your device and data just a little more secure.
1. Keep your OS up to date. Even if you don’t like the latest version of an OS, it will likely have important patches for old security flaws that will become very clear to hackers who compare it with the old version looking for vulnerabilities.
2. As seen above in the infographic from Arxan, only download apps from places you trust like the Google Play store. While it is far from the standards that Apple has set for the App Store, it is considerably safer than pulling them in from other sources. Free versions of paid apps might sound great when you download them from another site, but they are more than likely to come along with some unwanted baggage.
3. Do not root or jailbreak. Do I need to expand on this?
4. Avoid giving out personal details like usernames or passwords even if you are prompted for it. Google knows who you are (maybe even better than you know yourself) and does not need you to re-enter sensitive information. If a prompt for details seems out of place, find out who is asking and verify that they are legitimate. Details like credit card or bank account numbers will almost never actually be required since they probably already have it.
5. Get a password manager like 1Password, LastPass, or one of the other highly recommended options on the store. It will cut down on having to enter your username and password in general.
Looking to the future
The rollout of HackGuard will have a dual B2B and B2C targeting, offering advanced features for its professional users. HackGuard is expected to come out on the Google Play store some time in the next two to three months.
Android is the globe’s most popular OS and as such will only continue to be the target of attacks. As the security community responds to the existing viruses, hackers are constantly evolving to create smarter attacks, exploiting vulnerabilities in the system.
Banks continue to be a lucrative mark for hackers, and their viruses are getting smarter. For the time being though, they appear to often be based on running compromised executable code that wreaks havoc on a user’s device, stealing their sensitive data.
Klapper and his team are confident that they can have an impact in stopping most of these attacks.
Special thanks to Elad Shapira of AVG for consulting on this article