Google VirusTotal – now with autoanalysis of OS X malware

Back in April 2015, at the RSA conference, Google did a strange thing.

The makers of Android as good as denied the existence Android malware by re-defining it into a category called PHAs, or Potentially Harmful Applications.

In any case, said Google, PHAs were hardly worth worrying about because “less than 1% of devices have a PHA installed.” [Shouldn’t that be “fewer”?Ed.]

Of course, 1% of of more than 1 billion devices still adds up to more than 10,000,000 PHA-infected Androids in the wild at any time.

And with PHAs lumped into subcategories including spyware, backdoor, call_fraud, sms_fraud, phishing, DDoS and ransomware

…it certainly sounds as though most of us would be happy with the word malware as shorthand for Potentially Harmful Application. (Ironically, Google even lists generic_malware as a named subcategory of PHAs.)

In fact, Google probably agrees with us, because its own online malware processing service, VirusTotal, will accept Android malware samples.

VirusTotal attempts to analyse and classify malware automatically by scanning incoming samples with a battery of security products, which helps to match up which products use what names.

The service also runs certain sample types in a controlled research environment often called a sandbox.

If a suspicious new file is spotted that isn’t yet known to the security research community, samples of the file can quickly be distributed to those with a need to know.

Malware sandboxing isn’t for the faint-hearted. Don’t be tempted to get started in anti-virus research simply by grabbing some malware samples and running them in a virtual machine (VM) on a spare computer at home to see what happens. If you aren’t careful, the malware could end up attacking other people’s networks. For example, if you deliberately run spam zombie malware in a VM to monitor what it does, you don’t want any of its spam to escape and reach innocent users. If that happens, you become part of the problem, not the solution!

Loosely speaking, the malware types that VirusTotal itself knows how to analyse are those most likely to be encountered in real life, and fretted about, by users around the world.

Automatic processing of Windows programs (known in the trade as PE files, short for Portable Execution format, even though they’re Windows-specific) was added to Virus Total in 2012, and of Android programs in 2013.

And now – don’t shoot the messenger – Google has added OS X apps to VirusTotal’s capabilities.

You can upload:

  • DMGs. (Mac disk images, commonly used for distributing Mac apps.)
  • Mach-O files. (Mach-O is the OS X equivalent of a PE file – the native executable binary format.)
  • A zipped-up Mac app. (Most officially-installed Mac apps exist as a self-contained directory tree stored in /Applications.)

We’ll be quite frank, and say that your risk of malware infection on a OS X is very much lower than on a Windows or Linux computer.

Infected Linux servers are depressingly common these days, and the main motivation that crooks have for infecting them is to pass malware on in bulk to Windows users.


Malware on Linux – When Penguins Attack

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

So, with Windows and Linux locked in an unhealthy “cybercrime symbiosis,” it’s easy to assume that the risk of OS X malware, or of Mac-specific phishing, or any other Apple-directed cybercriminality, is low enough to be written off as zero.

We think that’s a dangerous assumption, and we’re not just saying that because we have Mac threat protection software to sell you.

(Actually, for home use, Sophos Anti-Virus for Mac is 100% free, but that’s still not why we’re saying that Mac malware is worth taking seriously.)

It’s the other way around: we think Mac malware is worth taking seriously, and that’s why we have Sophos Anti-Virus for Mac.

But don’t ask us if there really is Mac malware out there…ask Google 🙂