Antivirus, Android and x86. Interaction features

The theme of optimizing Android applications for the x86 platform does not leave the pages of our blog. Today we look at the problem from a somewhat specific angle. Are viruses being ported to Intel ...? What are the nuances of the functioning of antiviruses on different platforms? What problems do anti-virus software developers encounter on the optimization path? With these questions turned to the team of Kaspersky Lab, which develops antivirus for Android.

Start over. We install the application (by clicking on an unverified link or launching the installation manually) - we get an APK, which includes not only the declared functionality, but also malware, stealing passwords, sending paid SMS or blocking a smartphone with a subsequent ransom request. Right?
In general, yes. Visitors of various kinds of pirated sites are most at risk, but occasionally infection infiltrates even into large official app stores.

We assume that there is some kind of signature database, which is used to search for malicious code. Should it be different for ARM and x86? Do we understand correctly that for x86 we had to create our own base, and the main work in porting x86 was precisely to create this base?
The database of signatures and heuristic rules is platform-independent. In general, most Android malware does not have a native part at all and all their malicious code is written exclusively in Java, so the difference in architecture in this case is not significant.
In any case, we support detecting ARM objects even on x86.
')
If the authors of malicious programs for Android turned out to be more agile than some authors of the programs and ported their creations to x86, does that mean that your antivirus for ARM (working through the translator) couldn’t detect such viruses in principle, as there were no corresponding databases with code samples ”, and only detected malware on pure Java and in ARM applications?
For us there is no difference on what the code - ARM or x86. Our engine considers objects regardless of the platform on which it runs. Those. Our product on any platform is able to detect both ARM and x86 malware, if they are in the database.

Is there really x86 malware? How big is their base?
Those who work only on x86 and do not work on ARM have not met. This contradicts the logic of virus writers who are interested in maximizing the distribution of their offspring.

But this is about malware. Are there real viruses for Android, i.e. Are pieces of code capable of infecting other files - spread and self-modifying to deceive antiviruses? If so, how many are there, do they include native code or is Java sufficient, what files can they infect?
Well, let's start with the fact that for distribution there is no need to infect other files. You can, for example, send links to yourself on the contact list. This behavior belongs to the class of worms. And there are no classic infectors (or polymorphs) for Android yet.
As you have already said, the antivirus code is almost all native, but, as it should be for Android applications, it is built as a set of called libraries. Libraries from the “standard” place / lib are hidden in a deeper hierarchy. If possible, explain why this is done?
Most of the libraries are in the lib folder, the anti-virus databases that require regular updates are separately rendered, they cannot be updated in the lib folder, since it is not available for writing.

How exactly does antivirus work? Does it check applications only before launch, or on disk too; can you track “suspicious” operations in real time? And what exactly does he do when they are detected?
Anti-Virus in Kaspersky Internet Security for Android checks applications as they are installed and updated, at the request of the user (if the user clicked the scan button), on a schedule (the schedule is selected in the product settings). In addition, the files saved in the Download folder are scanned (the files that the user downloads in the browser are saved there). In addition, there is an extended protection mode, in this case the files on the memory card are checked for any changes, as well as all new files written to the memory card.
As in the “desktop” products of Kaspersky Lab, Kaspersky Internet Security for Android uses a whole range of technologies to detect malware, including the heuristic engine, which allows you to detect entire families of malware using common features. In this case, we have a requirement that the median load on the CPU from us does not exceed 10% during normal use of the device.

What has been done to add x86 support to the Android product?
Our Android product uses many cross-platform components of its own design, written in C ++ and used in most Kaspersky Lab products. That is, most security modules are originally written for easy integration into different platforms. Ensuring their assembly under Android x86 was not difficult - small changes in make-files, pressing a button, and the product is ready :). The main burden fell on the testing department, because the already long list of test configurations and scripts added x86-based Android devices, which are now officially supported.
Previously, on x86 devices, our product worked using the Hoodini library. Of course, in this case, a binary translation of the code is performed with a certain damage to performance.

Yes, of course, talking about an x86 build would be incomplete without measuring the performance gain compared to the old, “binary-translated” version. Intel experts tested the speed of Kaspersky Internet Security 11, assembled for x86 and ARM, using a device on the Intel Clover Trail platform (Intel Atom Z2760 processor). The results were as follows: the performance of the native x86 application in the file scanning mode increased by 2.7 times. Although, in fairness, it should be noted that there was some (more precisely - 15 percent) increase in the power consumption of the device during operation. But, taking into account the decrease of this time, the overall result of the x86 version is unconditionally better than the original one.

So, it is not necessary to optimize viruses for x86, but useful programs, including antiviruses, are highly desirable. And the more important for software performance and speed, the more carefully you need to approach this issue.