Google intensifies security protection on Android with new tools for app security.

Google is enhancing Android security by incorporating new tools for application security in collaboration with Mandiant FLARE. Lin Chen, a member of the Android Security and Privacy team, announced that improvements are being made to Capa, an open-source binary analysis tool. This update will allow the tool to be more effective in evaluating ARM ELF files, which are commonly used in malware targeting Android.

During the presentation of this collaboration, Chen shared a case in which an illegal gambling application was detected disguised as a music app on the Google Play Store. This application was secretly loading gambling sites in specific regions and employed various techniques to evade detection, such as hiding key functions in a native ELF file and performing dynamic downloads of malicious code.

By leveraging static analysis alongside Capa, the Google team was able to identify the deceptive behaviors of the application and successfully remove it. Capa is designed to detect malware capabilities in ELF files, and new rules specific to the Android environment have recently been created. These rules enable the identification of suspicious behaviors, such as calls to the ptrace API (anti-debugging), extraction of device and timezone information, as well as the downloading and decrypting of code.

Additionally, Gemini's artificial intelligence has been integrated to summarize the most suspicious functions highlighted by Capa. This AI tool is capable of assessing risk levels, providing insights into obfuscation, anti-debugging, and cloaking techniques, which facilitates malware detection and the drafting of new rules.

Chen concluded by stating that with the support of Gemini, their analysts can spend less time on sophisticated samples, reducing exposure to malicious applications and thus ensuring the security of the Android ecosystem.