Why are Android anti-virus firms so slow to react on Carrier IQ?

Release of eradication 'detection' apps 1 month on raises questions

Gartner critical capabilities for enterprise endpoint backup

Analysis Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill ... and a month after a security researcher first discovered it.

BitDefender released Carrier IQ Finder, an app that identifies the presence of the controversial mobile diagnostic tool, following Lookout's earlier release of a similar tool called Carrier IQ Detector. Both applications let mobile phone users know if they have Carrier IQ running on their Android phone without actually removing it. Each has been available at no charge via the official Android Market since last Saturday (3 December).

In a statement, BitDefender said that Carrier IQ's mobile network diagnostic tool is "so deeply integrated with the device’s firmware [that] Carrier IQ Finder cannot remove it".

Catalin Cosoi, global research director at Bitdefender, explained: "The Carrier IQ package can't be removed by the users themselves if they don't have root access on the device. They can, however, take the issue with the carrier and ask that the package be removed from the system."

All this leaves still us with the question of why these anti-virus firms needed an extra app to detect Carrier IQ? Shouldn't this application have been detected as potentially unwanted, at least, some time ago?

In a blog post, Lookout explained why signature detection for Carrier IQ was not added to its stand-alone Android security applications.

"Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout," it said.

Kevin Mahaffey, co-founder and CTO of Lookout, told El Reg that it released its tool in response to requests from users. He added that even though Carrier IQ wasn't malware, it did raise transparency and privacy issues. Mahaffey suggested that anti-malware protection ought to be all-in-one in mobiles (anti-spyware started off as a separate utility in the Windows world some years back), but didn't rule out the possibility of releasing other stand-alone tools in future.

Kaspersky Lab said it too had decide Carrier IQ wasn't malware but had decided, unlike Lookout, not to release a stand-alone tool.

Ram Herkanaidu, education manager at Kaspersky Lab, explained: "Kaspersky Lab does not currently detect Carrier IQ on Android devices because leaving aside the question of whether service providers need to collect this level of information, it is not strictly speaking malicious software. Currently there are no plans for Kaspersky to create a separate tool to detect Carrier IQ on mobile devices. That said, our global security researchers are investigating this and if any developments occur, we will take action appropriately."

Lookout's line is that although technically savvy users might be able to find out if Carrier IQ is running on their devices, its tool is needed because it allows less technically sophisticated users to do the same thing.

The whole episode leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren't able to get a specific answer on whether or not it was up for contesting such actions.

Anti-virus firms have been stung with lawsuits before over the detection of user-installed bundled spyware on Windows machines, something that might easily be repeated in the Android arena. Notorious, defunct crapware vendor Zango unsuccessfully sued security software maker Kaspersky Lab for calling its product "spyware". Kaspersky manned up and fought the action, defending an important principle in the process. Other security firms might decide to duck this kind of fight.

Carrier IQ's initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness the firm has since tried to explain what it's about and how its technology operates in a way that has defused many (but not all) of the original concerns.

Smartphone manufacturers and network providers confirmed that phones using Carrier IQ tracking software include Apple, AT&T, Sprint, HTC, and Samsung. Although iPhone users are also affected, the issue of whether anti-malware software can protect them doesn't arise because on-board anti-virus scanners for iOS are against the Jobsian faith. Users of Android devices who take the trouble to apply security software are entitled to feel more protected, but the Carrier IQ affair raises doubts about this.

It's notable that Android anti-virus firms weren't saying: "Wow this app is weird and it has all these privileges" and asking questions about Carrier IQ until the same day Senator Al Franken sent a letter to Carrier IQ. This raises the question of whether these mobile security apps have the ability to detect something clearly malign – a future Android rootkit, for example. Recent tests by AV-Test.org that revealed the inadequacies of some Android freebie scanner products (Lookout wasn't tested) hardly inspire confidence on this point either.

Computer researchers at Rutgers University in the US developed a proof-of-concept rootkit back in March 2010. Security firms including Fortify Software and Imperva have since expressly warned of this risk. Lessons from history suggest not every security vendor will respond promptly to the risk if and when it arrives.

Seven years ago, when the Sony BMG CD copy-protection rootkit scandal broke, security researcher Mark Russinovich and F-Secure independently discovered the software at about the same time. F/Secure quickly and decisively stood up and condemned Sony's use of the same tactics used by virus writers in its copyright protection software. But it was only after Sony admitted it had erred that other anti-virus vendors belatedly added detection, as explained in a good historical overview of the whole sorry affair by Bruce Schneier here.

Lookout disagrees that this analogy was appropriate. The Sony rootlet involved a third-party modifying software, it said. Carrier IQ supplied a diagnostic kit built into phones and was more akin to Microsoft Software Update. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE accused of silencing customer gripes on social media pages
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
Broadband slow and expensive? Blame Telstra says CloudFlare
Won't peer, will gouge for Internet transit
prev story


Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?