Antivirus, Android and x86. Interaction Features

The topic of optimizing Android applications for the x86 platform does not leave the pages of our blog. Today we look at the problem from a slightly specific angle. Are viruses ... ported under Intel? What are the nuances of the functioning of antiviruses on different platforms? What problems do antivirus software developers face in optimizing? These questions were addressed to the Kaspersky Lab team developing an antivirus for Android.

Start over. We install the application (by clicking on an unverified link or starting the installation manually) - we get an APK, which includes not only the declared functionality, but also a malware that steals passwords, sends paid SMS or blocks a smartphone with a subsequent ransom demand. Right?
In general, yes. Visitors of all kinds of pirated sites are at greatest risk, but occasionally the infection seeps even into large official app stores.

We assume that there is some kind of signature database that searches for malicious code. Should it be different for ARM and x86? Do we understand correctly that for x86 we had to create our own base, and the main work in porting to x86 was precisely in creating this base?
The base of signatures and heuristic rules is platform independent. In general, most Android malware does not have a native part at all and all of their malicious code is written exclusively in Java, so the difference in architecture in this case is not significant.
In any case, we support the detection of ARM objects even on x86.

If the malware authors for Android turned out to be quicker than some authors of the programs and ported their creations to x86, does this mean that your antivirus for ARM (working through the translator), in principle, could not detect such viruses, since it did not have the corresponding databases “with code samples ”, but found only malware in pure Java and in ARM applications?
For us, it makes no difference whether the code is ARM or x86. Our engine considers objects regardless of the platform on which it works. Those. our product on any platform is able to detect both ARM and x86 malware, if they are in the database.

Are there really x86 malware? How big is their base?
Those who work only on x86 and do not work on ARM have not been seen. This contradicts the logic of virus writers who are interested in the maximum distribution of their offspring.

But this is about malware. Are there real viruses for Android, i.e. pieces of code that can infect other files - spread, as well as self-modifying, to trick antiviruses? If so, how many are there, do they include native code or is Java enough, which files can they infect?
Well, to begin with, there is no need to infect other files for distribution. You can, for example, send links to yourself on the contact list. This behavior belongs to the Worms class. But there are no classic infectors (or polymorphs) for Android yet.
As you already said, the antivirus code is almost all native, but, as it should be for Android applications, it is built in the form of a set of called libraries. Libraries from the "standard" location / lib are hidden in a deeper hierarchy. If possible, explain why this is done.
Most libraries are in the lib folder, anti-virus databases that require regular updates have been separately taken out, they cannot be updated in the folders of the lib folder, since it is not writable.

How exactly does antivirus work? Does it check applications just before launching, or on disk too; can track “suspicious” operations in real time? And what exactly does he do when they are discovered?
Antivirus in Kaspersky Internet Security for Android scans applications during their installation and update, at the user's request (if the user clicked the scan button), according to the schedule (the schedule is selected in the product settings). In addition, files saved to the Download folder are scanned (files that the user downloads in the browser are saved there). In addition, there is an advanced protection mode, in this case the files on the memory card are checked at any change, as well as all new files written to the memory card.
As in the “desktop” products of Kaspersky Lab, Kaspersky Internet Security for Android uses a whole range of technologies to detect malicious programs, including a heuristic engine that allows you to detect entire families of malware using common signs. At the same time, we have a requirement that the median load on the CPU from us does not exceed 10% during normal use of the device.

What has been done to add x86 support to the Android product?
Our Android product uses many cross-platform components of its own design written in C ++ and used in most Kaspersky Lab products. That is, most security modules were originally written for easy integration on different platforms. Ensuring their assembly for Android x86 was not difficult - a small change in the makefiles, a click of a button, and the product is ready :). The main load fell on the testing department, as x86-based Android devices were added to the already long list of test configurations and scripts, which are now officially supported.
Previously, on x86 devices, our product worked using the Hoodini library. Of course, in this case, binary translation of the code is performed with a certain detriment to performance.

Yes, of course, talking about an assembly for x86 would not be complete without measuring the performance gain compared to the old, “binary-translated,” version. Intel experts tested the speed of Kaspersky Internet Security 11, built for x86 and ARM, using a device based on the Intel Clover Trail platform (Intel Atom Z2760 processor). The results were as follows: the performance of the native x86 application in file scanning mode increased by 2.7 times. Although, in fairness, it should be noted that at the same time there was a slight (more precisely - 15 percent) increase in power consumption of the device during operation. But, taking into account the reduction of this time, the overall result of the x86 version is unconditionally better than the original one.

So, it is not necessary to optimize viruses for x86, but useful programs, including antiviruses, are highly desirable. And the more important the performance and speed parameters for software, the more carefully you need to approach this issue.