A chink in Android Armour

apparm3-170Apart from the increasing number of truly malicious Android samples we have to process every day in SophosLabs (around one thousand) we also have to process applications that approach and often cross the fine line between the completely legitimate and potentially unwanted applications (PUAs).

A high number of these borderline samples indicates the degree to which developers view the Android ecosystem as a bit of a gold rush.

There are cracked versions of paid for apps, repackaged apps with additional advertising frameworks, apps including aggressive advertising libraries leaking personally identifiable data and simply apps from non-English speaking countries which have their own idea of what is and what is not legitimate.

Among them an app called Android Armour was represented with a particularly high number, with over six thousand samples in our Android apps database. Clearly, we had to take a closer look to make a decision on how to classify it.

If it was malicious we had to react as soon as possible. If it was a potentially unwanted application we had to act quickly. If it was legitimate we had to mark it as trusted and make sure that other team members do not classify it as one of the categories blocked by Sophos Mobile Security and other products.

It turns out, the classification took longer and was more difficult than usual.

Initially I was tempted to classify it as malware, fake anti-virus software is not a new concept, not even on Android, but after a brief look at its code I decided to investigate further and make sure I did not take down a legitimate security app in a suspicious incident of friendly fire.

Android Armour claims to be a security app for Android and although it is not hosted on Google Play (first suspicious clue) it is hosted on Amazon’s Android store (first non-suspicious clue). The application home page states:

HackerTrapp is the most comprehensive online virus/malware/adware definition database available! In addition to 20 major virus databases, HackerTrapp utilizes our internal network of over 1.8 million users to scan and report new apps to continually expand our antivirus database.

I installed the app on my test system and was (not) surprised that the application suggested I pay for the “premium” functionality of being able to remove malware and use more detailed “deep scan” technology.

Both legitimate and malicious apps often utilize the freemium revenue model.

However, the screen used for collecting credit card information in Android Armour closely resembles a Google Play page (very suspicious clue since the app is not hosted on Google Play).


Since seeing the Google-like credit card form I was not surprised to find out that Android Armour detected a non-existent threat in one of the applications (another suspicious clue).

After few attempts to find more details about which application was being detected as malicious, I managed to find it.

It was Dropbox. Only after looking at the TCP traffic dump did I see that the returned threat name was TROJ_GEN.FCBHZKC, which seems to be the naming scheme used by Trend Micro’s products.

GET /check?hash=7B35D8D71EBE25AC21B2C6DE0E27FFE047466AEC
Host: antivirus.trafficmanager.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 08 Jan 2013 15:10:54 GMT
Content-Length: 49


This further means that either:

  1. Android Armour is deliberately detecting popular apps such as Dropbox to drive its own revenue (malicious indeed)
  2. or

  3. Android Armour service uses Trend Micro’s scanner which had an incorrect detection of Dropbox (and it turns out several other apps). Trend Micro probably retracted the detection but it stayed in the Android Armour database (less suspicious)

The hash parameter of the GET request is just a SHA1 checksum, which is not uncommon for cloud lookups.

Further Wireshark analysis shows that the “powerful technology” is nothing more than a clear text HTTP request to a web service hosted at antivirus.trafficmanager.net a domain used by Windows Azure cloud platform for traffic distribution and load balancing.

Of course, trafficmanager.net domains can be used for load balancing, but also for proxying requests to other domains which the users are not supposed to discover (suspicious again).

20 virus databases? A service with multiple antivirus engines? That sounds familiar. Perhaps this product is simply using one of the established sites such as Virustotal.com and presents it as its own technology?

Since Virustotal.com is the most well known malware scanning service and the prime suspect I decided to conduct a little experiment: assuming Android Armour is using the Virus Total API, it will upload a completely unknown application to Virus Total and scan it with the existing scanners.

Once the application is scanned it will be known to Virus Total and I will be able to see it. For this purpose I created a “Hello, world” like app using the awesome MIT App inventor, an excellent development environment for prototyping and writing simple Android apps.

Then I scanned the app with Android Armour. After a few minutes I went to virustotal.com, searched for its SHA1 checksum and indeed, it was there.


So Virus Total is the revolutionary technology used by Android Armour. Strictly speaking, Android Armour is not fake anti-virus software. One could argue that it provides valuable functionality to the user.

However, even if Android Armour has an agreement with Virus Total, which I sincerely doubt and I am still checking, the final straw was its pricing model.

Even if it initially seems that the price is acceptable at $0.99, only if the user reads the fine print will they realize that this is the price per week.

Android Armour terms and conditions state:

Android Armour Advanced Version is a weekly subscription. You authorize us to charge you the subscription cost ($0.99) for the first week now, and subsequent weeks will be billed at 0.99$ either weekly or grouped together every four weeks as a single charge of 3.96$. This will be charged automatically, charged to the payment method provided.

Considering the fact that there are many free and fully functional security applications, including Sophos Mobile Security, from more reputable vendors this is extortion.

But it is more for the muddled pricing scheme than the final price that we finally decided Android Armour will be detected by Sophos product as a potentially unwanted application even if it will be definitely unwanted for most users.