几天前,我参加了一个名为ESET Security Days的(ESET Security Days)安全会议(security conference)。有很多有趣的会议,我遇到了很多从事信息安全(information security)工作的聪明人。其中一位是ESET高级(ESET)研究员(Senior Research Fellow)Nick FitzGerald(Nick FitzGerald)。他负责Android 生态系统(Android ecosystem)的安全性,我们很幸运能邀请他作为嘉宾接受有关Android设备(Android)上的恶意软件和安全性的采访。(malware and security)他有很多有趣的事情要说,你应该阅读这篇采访:
尼克·菲茨杰拉德是谁?
在我们开始采访之前,我想谈谈尼克·菲茨杰拉德(Nick FitzGerald)。他是一个非常私人的人,你在互联网上几乎找不到任何关于他的信息。如今,他在ESET Australia负责信息安全(information security),主要关注Android 生态系统(Android ecosystem)。Nick是建立VB100 认证方法并在(VB100 certification)Virus Bulletin上运行第一个VB100测试的人之一。除了在 ESET 工作(job at ESET)之外,他还在Virus Bulletin担任顾问委员会成员。
当我遇到他时,我非常喜欢他的友善和开放(friendliness and openness)。他在会议期间分享了许多有趣的信息,在和他一起用餐的时候,我非常喜欢我们的谈话和他的幽默感。很高兴见到(pleasure meeting)他,我很高兴他接受了这次采访。
当今针对Android(Android)用户的最常见恶意软件类型是什么?
从我们从已启用遥测共享选项的安装群中获得的检测遥测(detection telemetry)数据中,最大比例的检测是我们称为潜在不需要的应用程序(Potentially Unwanted Applications)(或PUA)的一般类别。并非我们所有的客户都选择检测PUA——(PUAs)这是一个安装时选项,没有默认设置;客户必须做出自己的选择。PUA(PUAs)通常是使用不正当技术来实现结果的应用程序,虽然不是公然恶意的(我们的产品会在客户没有任何选择的情况下完全阻止它),但经验表明我们许多客户不希望在他们的设备上运行。
在PUA(PUAs)之后,看看真正的恶意软件检测,我们今年在客户设备上看到的最常见的Android 恶意软件(Android malware)类型是“droppers”。这些通常是合法(尽管通常很无聊)应用程序和(app and something)恶意软件的捆绑包。通常,恶意组件直到初始应用安装后的某个时间才会安装或启用。这是Android 恶意软件(Android malware)领域相对较新的发展,但已迅速受到恶意软件编写者的欢迎。此类 dropper 安装的应用程序可以是任何东西,但目前PUA 广告(PUA advertising)应用程序似乎是最常见的有效载荷。
如果Android(Android)用户的设备感染了恶意软件,最糟糕的事情是什么?
我不知道发生这种情况,但从理论上讲,该设备可能是有意或无意的“变砖”。这比让你所有最私密的秘密(和照片)被盗并可能被发布到网络上或以其他方式被用来试图让你难堪或勒索你更好或更糟,可能取决于你是谁以及你坚持什么,或者可以从您的智能手机访问。
看看实际的Android 恶意软件(Android malware),LockerPin系列可以设置一个不为犯罪者所知的随机PIN 锁定(PIN lock)屏幕,这是非常令人讨厌的,因为几乎永远不会在典型的设备上找到可以从该设备锁定有效负载中恢复的条件。设备。
在您看来, Android 生态系统(Android ecosystem)在安全性方面的主要弱点是什么?
与其在移动领域的主要竞争对手 iOS 相比,Android更加开放,为开发人员和用户提供了更大的灵活性。这可能会给用户带来好处,但这也意味着恶意活动更容易被定向到Android用户。例如,进入谷歌(Google)官方应用商店的恶意(app store)应用(apps get)比进入苹果(Apple)的要多得多。此外(Further),谷歌通常对(Google)Android 平台(Android platform)安全产品的潜在价值持怀疑态度。,因此不提供高级功能来更好地支持此类产品。这是Android 操作系统(Android operating)的一个主要架构弱点。
在查看Android 平台(Android platform)及其构建方式时,Android 安全(Android security)产品在保护方面无法为用户做的最重要的事情是什么?
缺少系统挂钩或官方安全API(APIs)意味着无法执行正确的访问扫描。目前,病毒扫描程序(virus scanner)仅限于在将安装程序包(installer package)下载到设备时以及在安装应用程序时再次检查应用程序。Google可以允许以更高权限安装经过验证的安全应用程序(security apps),但选择不这样做,因此与其他操作系统(例如Windows )不同,您的Android 安全(Android security)应用程序只是另一个以与任何其他应用程序相同的权限级别运行的应用程序。(privilege level)同样令人担忧的是设备管理员(Device Administrator)特权是根据用户的要求发放的。我们可以禁用它们,但它们很可能同样容易禁用我们。
适用于Android的安全产品(security product)(例如ESET Mobile Security & Antivirus)如何保护其用户?
我们的Android 安全产品(Android security products)提供多种形式的保护。有恶意代码和(可选)PUA 检测(PUA detection)对防病毒功能(antivirus functionality)、利用ESET Live Grid®阻止恶意网站、设备定位(device location)和防盗功能以及系统诊断(functionality and system diagnostics)。
编者注:(Editor's note:) PUA表示可能不需要的应用程序(Application)。通用 PUA(Generic PUA)检测可让您及时检测新的和更新的潜在有害应用程序(Potentially Unwanted Applications)。
除了在他们的设备上使用安全产品之外,您对(security product)Android用户的主要安全建议是什么?
坚持使用官方Play 商店(对于世界某些地区来说,这种建议很糟糕!)并且在授予(Play Store)设备管理员(Device Administrator)权限时要非常小心,除了真正的安全或系统管理应用程序(security or system administration app)之外的任何东西。
您如何看待Android上的恶意软件、安全性和隐私(security and privacy)?
既然您已经阅读了Nick的观点,我希望您能分享您的观点。您认为您需要适用于Android的安全产品吗?您是否(Are)在智能手机和平板电脑上使用其中之一?您(Did)是否处理过适用于Android的恶意软件以及发生了什么?
"Stick to the Google Play store!" says renowned information security expert at ESET
A couple of days ago, І was at a security conference called ESET Secυrity Days. There were quite a few interesting sessions and I've met quite a lot of smart people who wоrk in information security. One of them is Nick FitzGerald, Senior Research Fellow at ESET. He takes care of security in the Android ecosystem and we were lucky to have him as a guest in an interview about malware and security on Αndroid devices. He h ad many interesting things to say and you should read this interview:
Who is Nick FitzGerald?
Before we go into the interview, I would like to talk a bit about Nick FitzGerald. He is a very private person and you can hardly find any information about him on the internet. Today he is taking care of information security at ESET Australia, focusing mostly on the Android ecosystem. Nick is one of the people who established the methodology for VB100 certification and ran the first VB100 tests at Virus Bulletin. Alongside his job at ESET , he still works with Virus Bulletin as a member of its advisory board.
When I met him, I very much enjoyed his friendliness and openness. He shared lots of interesting information during the conference and, while dining with him for a bit, I very much enjoyed our conversations and his sense of humor. It was a pleasure meeting him and I am very happy that he accepted to be a guest in this interview.
What is the most common type of malware that targets Android users today?
From the detection telemetry data we get back from those in our installed base who have enabled the telemetry sharing option, the greatest proportion of detections is the general class of things we call Potentially Unwanted Applications (or PUA). Not all of our customers choose to have PUAs detected – it is an install-time option and there is no default setting; the customer must make their own choice. PUAs are typically apps that use shady techniques to achieve results that, while not overtly malicious (which would be outright blocked by our product without the customer having any choice), experience shows us many customers do not wish to have run on their devices.
After PUAs, and looking at real malware detections, the most common types of Android malware we have seen blocked on customer devices this year are "droppers". These are typically a bundle of a legitimate (although usually quite inane) app and something malicious. Commonly the malicious component is not installed or enabled until sometime after the initial app installation. This is a relatively recent development in the Android malware arena but has rapidly become quite popular with malware writers. The apps installed by such droppers can be anything, but it seems at the moment that PUA advertising apps are the most common payloads.
What is the nastiest thing that can happen to Android users if their devices get infected with malware?
I'm not aware of this happening, but in theory the device could be "bricked", either deliberately or unintentionally. Whether that is better or worse than, say, having all your most intimate secrets (and photographs) stolen and possibly posted to the web or otherwise used in an attempt to embarrass or ransom you, may depend on who you are and what you keep on, or can access from, your smartphone.
Looking at actual Android malware, the LockerPin family, which can set a random PIN lock screen that is not known to the perpetrators is very nasty, as the conditions that could allow recovery from this device-locking payload will almost never be found on a typical device.
In your view, which are the major weaknesses the Android ecosystem has in terms of security?
Compared to its main competitor in the mobile arena, iOS, Android is somewhat more open, allowing developers and users greater flexibility. That may result in benefits to the user but it also means that malicious activity is more easily directed to Android users. There have, for example, been many more overtly malicious apps get into Google's official app store than into Apple's. Further, Google is generally quite skeptical about the possible value of security products for the Android platform, so does not provide advanced capabilities to better support such products. This is a major architectural weakness in the Android operating system.
When looking at the Android platform and how it is built, which are the top things an Android security product can't do for users in terms of protection?
The lack of system hooks or official security APIs means that proper on-access scanning cannot be performed. For now, a virus scanner is limited to checking an app when its installer package is downloaded to the device and again when the app is installed. Google could allow verified security apps to install with higher privileges but has chosen not to, so unlike on other operating systems, like Windows for example, your Android security app is just another app running at the same privilege level as any other. Equally concerning is that the Device Administrator privilege is doled out at the user's behest. We can disable them, but they are quite likely to just as easily disable us.
How does a security product for Android, like ESET Mobile Security & Antivirus protect its users?
Our Android security products offer several forms of protection. There is malicious code and (optionally) PUA detection care of the antivirus functionality, malicious website blocking utilizing the ESET Live Grid®, device location and anti-theft functionality and system diagnostics.
Editor's note: PUA means Potentially Unwanted Application. Generic PUA detections provide you with timely detection of new and updated Potentially Unwanted Applications.
Which are your top security recommendations for Android users, other than using a security product on their devices?
Stick with the official Play Store (that kind of sucks as advice for certain regions of the world!) and be very careful about granting the Device Administrator privilege to anything but a bona fide security or system administration app.
What do you think about malware, security and privacy on Android?
Now that you have read Nick's perspective, I would like you to share yours. Do you think that you need security products for Android? Are you using one on your smartphones and tablets? Did you deal with malware for Android and what happen ed?