Safety Net is a nice consumery name for Google's on-device monitoring of app behaviors that detect malware that otherwise would evade identification with antivirus scanning technology. Behavioral monitoring on the device isn't new, but it is not widely used. Scanning apps when developers upload them to the Play Store, and scanning apps for viruses before installation, reduces the number of potentially harmful apps that get installed. But not all harmful apps can be detected with these kinds of tools, especially polymorphic malware that continuously changes its signature, like the malware used to steal credit card data from Target's cash registers.
This additional layer of defense that monitors app execution behavior was added as a push update to Google Mobile Services (GMS) in the Play Store app. It compares how apps behave to Google's repository of behavioral graphs that grows with the addition of 15 million new pieces of data per day, including apps, developers, app behaviors, relationships and third-party analyses.
An app need not register positive from a malware scan to become suspect. Google's data can be used to single out an app that may be harmful. In the spirit of Google's analytical core, more data means better security. Ludwig would not go into specific detail, but in response to a question about how Google assesses developers' reputations as a predictor of malware, he suggested that the data available to the Android security team extended beyond just Android:
"How we do it is something of a secret sauce, but Google has a lot of historical attack data from people attempting to violate our systems."
As the creator and a contributor to Map Reduce, Google is experienced in distilling massive amounts of data into meaningful conclusions. Using the data derived from the hundreds of millions of Android devices and Google's security experience, many signals can flag an app as suspicious.
Building a defense through containment isn't possible with an ecosystem of the scale and diversity of Android. Looking for a needle in the haystack by scanning, monitoring, and using massive amounts of data with predictive analytics to detect vulnerabilities and remediating them is the only way that Android can be secured.
Not surprising for a Google talk, Ludwig shared a lot of data to explain Android's security methods. In retrospect, the AMV is only exploited 35 times per million app installations downloaded from outside of Google Play. More interesting than the tiny number of exploits is that the Android security team has visibility into what kind of apps use this exploit. As it turns out, more than half of these exploits are performed by knowledgeable users on their personal devices to install a Nintendo game emulator.
If the Android security team's work prevails, and with a little luck, Ludwig will still be speaking retrospectively at the next security conference about the AVM, and not a new vulnerability.
Source: Network World
Sign up for Computerworld eNewsletters.