A chink in Android Armour

Filed Under: Android, Fake anti-virus, Mobile, SophosLabs

apparm3-170Apart from the increasing number of truly malicious Android samples we have to process every day in SophosLabs (around one thousand) we also have to process applications that approach and often cross the fine line between the completely legitimate and potentially unwanted applications (PUAs).

A high number of these borderline samples indicates the degree to which developers view the Android ecosystem as a bit of a gold rush.

There are cracked versions of paid for apps, repackaged apps with additional advertising frameworks, apps including aggressive advertising libraries leaking personally identifiable data and simply apps from non-English speaking countries which have their own idea of what is and what is not legitimate.

Among them an app called Android Armour was represented with a particularly high number, with over six thousand samples in our Android apps database. Clearly, we had to take a closer look to make a decision on how to classify it.

If it was malicious we had to react as soon as possible. If it was a potentially unwanted application we had to act quickly. If it was legitimate we had to mark it as trusted and make sure that other team members do not classify it as one of the categories blocked by Sophos Mobile Security and other products.

It turns out, the classification took longer and was more difficult than usual.

Initially I was tempted to classify it as malware, fake anti-virus software is not a new concept, not even on Android, but after a brief look at its code I decided to investigate further and make sure I did not take down a legitimate security app in a suspicious incident of friendly fire.

Android Armour claims to be a security app for Android and although it is not hosted on Google Play (first suspicious clue) it is hosted on Amazon's Android store (first non-suspicious clue). The application home page states:

HackerTrapp is the most comprehensive online virus/malware/adware definition database available! In addition to 20 major virus databases, HackerTrapp utilizes our internal network of over 1.8 million users to scan and report new apps to continually expand our antivirus database.

I installed the app on my test system and was (not) surprised that the application suggested I pay for the "premium" functionality of being able to remove malware and use more detailed "deep scan" technology.

Both legitimate and malicious apps often utilize the freemium revenue model.

However, the screen used for collecting credit card information in Android Armour closely resembles a Google Play page (very suspicious clue since the app is not hosted on Google Play).

apparm5-490

Since seeing the Google-like credit card form I was not surprised to find out that Android Armour detected a non-existent threat in one of the applications (another suspicious clue).

After few attempts to find more details about which application was being detected as malicious, I managed to find it.

It was Dropbox. Only after looking at the TCP traffic dump did I see that the returned threat name was TROJ_GEN.FCBHZKC, which seems to be the naming scheme used by Trend Micro's products.

GET /check?hash=7B35D8D71EBE25AC21B2C6DE0E27FFE047466AEC
HTTP/1.1
Host: antivirus.trafficmanager.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 08 Jan 2013 15:10:54 GMT
Content-Length: 49

{"ResponseCode":2,"Details":["TROJ_GEN.FCBHZKC"]}

This further means that either:

  1. Android Armour is deliberately detecting popular apps such as Dropbox to drive its own revenue (malicious indeed)
  2. or

  3. Android Armour service uses Trend Micro's scanner which had an incorrect detection of Dropbox (and it turns out several other apps). Trend Micro probably retracted the detection but it stayed in the Android Armour database (less suspicious)

The hash parameter of the GET request is just a SHA1 checksum, which is not uncommon for cloud lookups.

Further Wireshark analysis shows that the "powerful technology" is nothing more than a clear text HTTP request to a web service hosted at antivirus.trafficmanager.net a domain used by Windows Azure cloud platform for traffic distribution and load balancing.

Of course, trafficmanager.net domains can be used for load balancing, but also for proxying requests to other domains which the users are not supposed to discover (suspicious again).

20 virus databases? A service with multiple antivirus engines? That sounds familiar. Perhaps this product is simply using one of the established sites such as Virustotal.com and presents it as its own technology?

Since Virustotal.com is the most well known malware scanning service and the prime suspect I decided to conduct a little experiment: assuming Android Armour is using the Virus Total API, it will upload a completely unknown application to Virus Total and scan it with the existing scanners.

Once the application is scanned it will be known to Virus Total and I will be able to see it. For this purpose I created a "Hello, world" like app using the awesome MIT App inventor, an excellent development environment for prototyping and writing simple Android apps.

Then I scanned the app with Android Armour. After a few minutes I went to virustotal.com, searched for its SHA1 checksum and indeed, it was there.

apparm2-500

So Virus Total is the revolutionary technology used by Android Armour. Strictly speaking, Android Armour is not fake anti-virus software. One could argue that it provides valuable functionality to the user.

However, even if Android Armour has an agreement with Virus Total, which I sincerely doubt and I am still checking, the final straw was its pricing model.

Even if it initially seems that the price is acceptable at $0.99, only if the user reads the fine print will they realize that this is the price per week.

Android Armour terms and conditions state:

Android Armour Advanced Version is a weekly subscription. You authorize us to charge you the subscription cost ($0.99) for the first week now, and subsequent weeks will be billed at 0.99$ either weekly or grouped together every four weeks as a single charge of 3.96$. This will be charged automatically, charged to the payment method provided.

Considering the fact that there are many free and fully functional security applications, including Sophos Mobile Security, from more reputable vendors this is extortion.

But it is more for the muddled pricing scheme than the final price that we finally decided Android Armour will be detected by Sophos product as a potentially unwanted application even if it will be definitely unwanted for most users.


, , ,

You might like

14 Responses to A chink in Android Armour

  1. Great article and great analysis. However, this rises a question on SOPHOS Android app, how the app is updated with the latest signatures? I mean, I am having it, trusting it, but I tried to navigate between options and tabs but did not find any mention of the following:

    - Update database.
    - Real-time protection against malware and viruses.

    therefore, I installed Lookout app. If you can, please, answer my questions on Sophos app, how the DB is updated and if there is a real-time protection, I will happily switch back.

    Thanks again for the article.

    • Chester Wisniewski · 593 days ago

      The application does contain a small database of well known malicious applications, but most of the information comes from real-time cloud lookups. We scan the apps whenever you install new apps giving us an opportunity to recheck your old ones and verify the veracity of the ones you are trying to install. This keeps the overhead very low while providing a high degree of protection.

      • Chris Hodell · 592 days ago

        a small database of "well known malicious". hmm how about new malicious applications? does that mean users of sophos app are protected against "well known malicious" but newly malicious are free to dive? or you push updates to its database through updates on the app from play store?

        curiosity lvl:99999

        • Chester Wisniewski · 592 days ago

          New malicious apps are detected using the cloud lookups providing the most up to date protection possible from SophosLabs without consuming space on your Android device.

  2. Very interesting.

    Regarding the pricing model, you say that "only if the user reads the fine print will they realize that this is the price per week."

    Looking at the screenshot I can see it is shown as a weekly charge as in the upper right corner it reads:

    Unlimited application
    use weekly subscription

    Goes to show how careful we all need to be not just when checking the permissions an Android app is requesting but also the pricing model.

  3. A good example of explaining the background of how Apps are checked and classified. It's an insight to another part of the Information Security world that I have not yet visited. Thank you

  4. Is the "TRUSTe verified" seal fake?

  5. April · 524 days ago

    As an android user who has a ton of apps installed (and is somewhat likely to add more, or at least swap a few), I am realizing that I need to understand these issues a bit more than I do. Quite a lot of what was said in this article was way over my head, but I am definitely interested in learning. I use my phone for too many uses not to.

    Is there a place to check a running list of apps to see how the apps I currently use are classified?

    Is there any advice--such a list of 'best practices'--to help lay-techies to be more savvy when choosing a new app? I usually look through reviews and check the size to decide, but now I'm thinking I need to look at them a different way.

  6. Clare Nelson · 349 days ago

    As of 11 September 2013, the Armor for Android Antivirus app is still available from Google Play and Amazon Appstore for Android. The price remains $29.95. Are there any updates on this rogue app?

  7. Luisa Childs · 263 days ago

    what's the best way to cancel my subscription to armour for android. I stupidly fell for their scam of acting as though there was a virus on my phone and then armour popped up claiming to be antivirus software - I panicked at the thought of there being a virus on my phone (stupid me) and purchased the app which only showed the price of the app itself, not the monthly charge!! I now have a payment of over $50 $AUD pending against my credit card account. Therefore, how do I stop them charging me?

    • Paul Ducklin · 263 days ago

      Did you talk to the company that provides your card and dispute the ongoing charges? You might also consider reporting the software to...hmm...the ACCC? ACMA?...for misleading business practices.

      If you're certain that you were tricked into paying the fee by the report of a virus that wasn't actually there, try using that as your basis for a dispute with VISA or MasterCard. I have no idea if you'll get your money back but it's worth a try.

  8. superultrafast · 250 days ago

    Pretty! This has been a really wonderful article. Thanks for providing these details.

  9. lasse · 209 days ago

    Armor for android is now 1 time payment
    Have used it long time, never get any payment

  10. sams · 38 days ago

    I have Same complain with Paul Ducklin and hope what Laser said was a fact because I am thinking of the next step to take now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.