On Thu, Mar 25, 2010 at 4:14 AM, Yi-Hau Li <[email protected]> wrote: > 2010/3/25 Dianne Hackborn <[email protected]>: >> On Thu, Mar 25, 2010 at 12:34 AM, Yi-Hau Li <[email protected]> wrote: >>> >>> Before i have the same question as Sveta, but after some study for >>> current antivirus tool on Market, >>> I observed that it is still able to scan or detect suspicious >>> app/events to some extend, for instance: >>> once a package was installed, scan its contents and warn the owner if >>> necessary. (/data/app is world-readable) >> >> Note that all the app needs to do is have itself installed as forward-locked >> and no other app will be able to access its code. (Its real .apk will be >> installed in another directory, which is only accessible by the app.) >> > > yeah, you're correct. for those cases i can only think of two ways to do > "minor" scan. (in cache directory where *classes.dex exists, or > simply query pm)
Even this is not enough. An application could potentially just distribute a tiny APK that just has a downloader and stubs, and then downloads most of its code from the internet when needed. It can then start up a classloader using a private directory for its dex file cache. To unsubscribe from this group, send email to android-security-discuss+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
