Why are Android anti-virus firms so slow to react on Carrier IQ?

Release of eradication 'detection' apps 1 month on raises questions

Build a business case: developing custom apps

Analysis Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill ... and a month after a security researcher first discovered it.

BitDefender released Carrier IQ Finder, an app that identifies the presence of the controversial mobile diagnostic tool, following Lookout's earlier release of a similar tool called Carrier IQ Detector. Both applications let mobile phone users know if they have Carrier IQ running on their Android phone without actually removing it. Each has been available at no charge via the official Android Market since last Saturday (3 December).

In a statement, BitDefender said that Carrier IQ's mobile network diagnostic tool is "so deeply integrated with the device’s firmware [that] Carrier IQ Finder cannot remove it".

Catalin Cosoi, global research director at Bitdefender, explained: "The Carrier IQ package can't be removed by the users themselves if they don't have root access on the device. They can, however, take the issue with the carrier and ask that the package be removed from the system."

All this leaves still us with the question of why these anti-virus firms needed an extra app to detect Carrier IQ? Shouldn't this application have been detected as potentially unwanted, at least, some time ago?

In a blog post, Lookout explained why signature detection for Carrier IQ was not added to its stand-alone Android security applications.

"Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout," it said.

Kevin Mahaffey, co-founder and CTO of Lookout, told El Reg that it released its tool in response to requests from users. He added that even though Carrier IQ wasn't malware, it did raise transparency and privacy issues. Mahaffey suggested that anti-malware protection ought to be all-in-one in mobiles (anti-spyware started off as a separate utility in the Windows world some years back), but didn't rule out the possibility of releasing other stand-alone tools in future.

Kaspersky Lab said it too had decide Carrier IQ wasn't malware but had decided, unlike Lookout, not to release a stand-alone tool.

Ram Herkanaidu, education manager at Kaspersky Lab, explained: "Kaspersky Lab does not currently detect Carrier IQ on Android devices because leaving aside the question of whether service providers need to collect this level of information, it is not strictly speaking malicious software. Currently there are no plans for Kaspersky to create a separate tool to detect Carrier IQ on mobile devices. That said, our global security researchers are investigating this and if any developments occur, we will take action appropriately."

Lookout's line is that although technically savvy users might be able to find out if Carrier IQ is running on their devices, its tool is needed because it allows less technically sophisticated users to do the same thing.

The whole episode leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren't able to get a specific answer on whether or not it was up for contesting such actions.

Anti-virus firms have been stung with lawsuits before over the detection of user-installed bundled spyware on Windows machines, something that might easily be repeated in the Android arena. Notorious, defunct crapware vendor Zango unsuccessfully sued security software maker Kaspersky Lab for calling its product "spyware". Kaspersky manned up and fought the action, defending an important principle in the process. Other security firms might decide to duck this kind of fight.

Carrier IQ's initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness the firm has since tried to explain what it's about and how its technology operates in a way that has defused many (but not all) of the original concerns.

Smartphone manufacturers and network providers confirmed that phones using Carrier IQ tracking software include Apple, AT&T, Sprint, HTC, and Samsung. Although iPhone users are also affected, the issue of whether anti-malware software can protect them doesn't arise because on-board anti-virus scanners for iOS are against the Jobsian faith. Users of Android devices who take the trouble to apply security software are entitled to feel more protected, but the Carrier IQ affair raises doubts about this.

It's notable that Android anti-virus firms weren't saying: "Wow this app is weird and it has all these privileges" and asking questions about Carrier IQ until the same day Senator Al Franken sent a letter to Carrier IQ. This raises the question of whether these mobile security apps have the ability to detect something clearly malign – a future Android rootkit, for example. Recent tests by AV-Test.org that revealed the inadequacies of some Android freebie scanner products (Lookout wasn't tested) hardly inspire confidence on this point either.

Computer researchers at Rutgers University in the US developed a proof-of-concept rootkit back in March 2010. Security firms including Fortify Software and Imperva have since expressly warned of this risk. Lessons from history suggest not every security vendor will respond promptly to the risk if and when it arrives.

Seven years ago, when the Sony BMG CD copy-protection rootkit scandal broke, security researcher Mark Russinovich and F-Secure independently discovered the software at about the same time. F/Secure quickly and decisively stood up and condemned Sony's use of the same tactics used by virus writers in its copyright protection software. But it was only after Sony admitted it had erred that other anti-virus vendors belatedly added detection, as explained in a good historical overview of the whole sorry affair by Bruce Schneier here.

Lookout disagrees that this analogy was appropriate. The Sony rootlet involved a third-party modifying software, it said. Carrier IQ supplied a diagnostic kit built into phones and was more akin to Microsoft Software Update. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
Trans-Pacific: Google spaffs cash on FAST undersea packet-flinging
One of 6 backers for new 60 Tbps cable to hook US to Japan
Tech city types developing 'Google Glass for the blind' app
An app and service where other people 'see' for you
UK mobile coverage is BETTER than EVER, networks tell Ofcom
Regulator swallows this line and parrots it back out at us. What are they playing at?
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.