Why are Android anti-virus firms so slow to react on Carrier IQ?

Release of eradication 'detection' apps 1 month on raises questions

Analysis Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill ... and a month after a security researcher first discovered it.

BitDefender released Carrier IQ Finder, an app that identifies the presence of the controversial mobile diagnostic tool, following Lookout's earlier release of a similar tool called Carrier IQ Detector. Both applications let mobile phone users know if they have Carrier IQ running on their Android phone without actually removing it. Each has been available at no charge via the official Android Market since last Saturday (3 December).

In a statement, BitDefender said that Carrier IQ's mobile network diagnostic tool is "so deeply integrated with the device’s firmware [that] Carrier IQ Finder cannot remove it".

Catalin Cosoi, global research director at Bitdefender, explained: "The Carrier IQ package can't be removed by the users themselves if they don't have root access on the device. They can, however, take the issue with the carrier and ask that the package be removed from the system."

All this leaves still us with the question of why these anti-virus firms needed an extra app to detect Carrier IQ? Shouldn't this application have been detected as potentially unwanted, at least, some time ago?

In a blog post, Lookout explained why signature detection for Carrier IQ was not added to its stand-alone Android security applications.

"Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout," it said.

Kevin Mahaffey, co-founder and CTO of Lookout, told El Reg that it released its tool in response to requests from users. He added that even though Carrier IQ wasn't malware, it did raise transparency and privacy issues. Mahaffey suggested that anti-malware protection ought to be all-in-one in mobiles (anti-spyware started off as a separate utility in the Windows world some years back), but didn't rule out the possibility of releasing other stand-alone tools in future.

Kaspersky Lab said it too had decide Carrier IQ wasn't malware but had decided, unlike Lookout, not to release a stand-alone tool.

Ram Herkanaidu, education manager at Kaspersky Lab, explained: "Kaspersky Lab does not currently detect Carrier IQ on Android devices because leaving aside the question of whether service providers need to collect this level of information, it is not strictly speaking malicious software. Currently there are no plans for Kaspersky to create a separate tool to detect Carrier IQ on mobile devices. That said, our global security researchers are investigating this and if any developments occur, we will take action appropriately."

Lookout's line is that although technically savvy users might be able to find out if Carrier IQ is running on their devices, its tool is needed because it allows less technically sophisticated users to do the same thing.

The whole episode leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren't able to get a specific answer on whether or not it was up for contesting such actions.

Anti-virus firms have been stung with lawsuits before over the detection of user-installed bundled spyware on Windows machines, something that might easily be repeated in the Android arena. Notorious, defunct crapware vendor Zango unsuccessfully sued security software maker Kaspersky Lab for calling its product "spyware". Kaspersky manned up and fought the action, defending an important principle in the process. Other security firms might decide to duck this kind of fight.

Carrier IQ's initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness the firm has since tried to explain what it's about and how its technology operates in a way that has defused many (but not all) of the original concerns.

Smartphone manufacturers and network providers confirmed that phones using Carrier IQ tracking software include Apple, AT&T, Sprint, HTC, and Samsung. Although iPhone users are also affected, the issue of whether anti-malware software can protect them doesn't arise because on-board anti-virus scanners for iOS are against the Jobsian faith. Users of Android devices who take the trouble to apply security software are entitled to feel more protected, but the Carrier IQ affair raises doubts about this.

It's notable that Android anti-virus firms weren't saying: "Wow this app is weird and it has all these privileges" and asking questions about Carrier IQ until the same day Senator Al Franken sent a letter to Carrier IQ. This raises the question of whether these mobile security apps have the ability to detect something clearly malign – a future Android rootkit, for example. Recent tests by AV-Test.org that revealed the inadequacies of some Android freebie scanner products (Lookout wasn't tested) hardly inspire confidence on this point either.

Computer researchers at Rutgers University in the US developed a proof-of-concept rootkit back in March 2010. Security firms including Fortify Software and Imperva have since expressly warned of this risk. Lessons from history suggest not every security vendor will respond promptly to the risk if and when it arrives.

Seven years ago, when the Sony BMG CD copy-protection rootkit scandal broke, security researcher Mark Russinovich and F-Secure independently discovered the software at about the same time. F/Secure quickly and decisively stood up and condemned Sony's use of the same tactics used by virus writers in its copyright protection software. But it was only after Sony admitted it had erred that other anti-virus vendors belatedly added detection, as explained in a good historical overview of the whole sorry affair by Bruce Schneier here.

Lookout disagrees that this analogy was appropriate. The Sony rootlet involved a third-party modifying software, it said. Carrier IQ supplied a diagnostic kit built into phones and was more akin to Microsoft Software Update. ®

Sponsored: Driving business with continuous operational intelligence