BroadAnywhere
Firstly, BroadAnywhere is not a virus or malware. It's just an ordinary software bug in Android.
I became aware of this after I installed an antivirus on an Android phone and the antivirus said it detected the BroadAnywhere vulnerability and was now able to protect the phone from it. Made me curious, and I dug up the actual flaw and its solution:
BroadAnywhere is classified as Bug: 17356824 in Android's Operating System code and won't be found in any Android OS that's released after September 10 2014; and that would be Android version 5.0 onward.
The bug
App's in Android communicate with each other using the Intent object. When your app gives a PendingIntent (a reference token) to another app, you're giving it the right to perform the operation you specify (the Intent), using the same identity and permissions as your app. If your app does not cancel the PendingIntent, the other app will be able to continue using it even if your app is closed/killed.
Bug 17356824 was a problem, because the Add Account Settings section in Android needed to identify the app that was invoking it and the PendingIntent it created for it, unwittingly allowed the invoker app to not only send it's identity information but also allowed it to launch activities, services or broadcasts. So anyone can create an app that misuses this PendingIntent, and either make your phone crash or wipe all data in your phone or send spam to your phone or send fake SMS'es.
The fix
Now the interesting part is that antiviruses for mobile phones claim to be able to protect us from this problem. I asked on StackExchange's Android forum, got an upvote, but no reply.
Antiviruses
Windows users would be all-too-familiar with viruses and antiviruses that "catch" and "destroy" them.
Antiviruses use two techniques:
1. Virus signatures: These are just a sequence of bytes that the antivirus searches for, which will be unique for a certain virus. The same way you do a string search. Programmers started creating viruses that were capable of encrypting and decrypting themselves (and thus hiding their signature) and capable of creating variants of their signature each time they encrypted or decrypted themselves. Next came polymorphic viruses which changed the signature of the encryptor and decryptor itself, each time it replicated.
2. Heuristics: The file being scanned is allowed to run in a special virtual environment (something like a sandbox) and it searches for virus-like behaviour (replication, overwriting files or hiding suspicious files).
I've blogged about killing viruses... http://nrecursions.blogspot.com/2014/05/destroy-windows-viruses-with-linux.html
... and even after I killed a virus, antiviruses in Windows would identify the file as a virus. That's because of Virus Signatures.
So can an Android Antivirus protect you from BroadAnywhere?
The websites of these antiviruses claim to protect you, but haven't offered any explanation of how they do it. They definitely can't peep inside an app and check the lines of code to see what kind of an Intent is being sent, but if the antivirus company maintains a very-frequently updated list of malicious apps, it might be able to warn you that an app you're about to install is harmful.
Question is, do they really do it? It'd require a dedicated team who would actively search for malicious apps and test them. Would a company do so much for free? Or would they make their money by tracking your phone and the data in it (given the high level of permissions that antivirus app's request)? It's a matter of trust.
Do you need an Antivirus at all?
The answer is "no". The average Android user (99% users) does not need an antivirus.
Google's lead engineer for Android security himself speaks of why an antivirus is un-necessary and what the more pressing concerns are. Like in Linux, where your system can get infected only if you deliberately give root access to a malicious program, the one way your phone can be susceptible to viruses or malware is if you decide to give an app elevated permissions on your phone.
So to stay safe, only install apps from trusted sources like Google Play and be a bit suspicious and do a followup of apps that ask for permissions that seem un-necessary. If you're careful, you won't need an antivirus. It's not just about data and security. Many apps gather data about you and your location. Your privacy is also important.
________________________________
Firstly, BroadAnywhere is not a virus or malware. It's just an ordinary software bug in Android.
I became aware of this after I installed an antivirus on an Android phone and the antivirus said it detected the BroadAnywhere vulnerability and was now able to protect the phone from it. Made me curious, and I dug up the actual flaw and its solution:
BroadAnywhere is classified as Bug: 17356824 in Android's Operating System code and won't be found in any Android OS that's released after September 10 2014; and that would be Android version 5.0 onward.
The bug
mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0);
App's in Android communicate with each other using the Intent object. When your app gives a PendingIntent (a reference token) to another app, you're giving it the right to perform the operation you specify (the Intent), using the same identity and permissions as your app. If your app does not cancel the PendingIntent, the other app will be able to continue using it even if your app is closed/killed.
Bug 17356824 was a problem, because the Add Account Settings section in Android needed to identify the app that was invoking it and the PendingIntent it created for it, unwittingly allowed the invoker app to not only send it's identity information but also allowed it to launch activities, services or broadcasts. So anyone can create an app that misuses this PendingIntent, and either make your phone crash or wipe all data in your phone or send spam to your phone or send fake SMS'es.
The fix
private static final String SHOULD_NOT_RESOLVE = "SHOULDN'T RESOLVE!";
Intent identityIntent = new Intent();
identityIntent.setComponent(new ComponentName(SHOULD_NOT_RESOLVE, SHOULD_NOT_RESOLVE));
identityIntent.setAction(SHOULD_NOT_RESOLVE);
identityIntent.addCategory(SHOULD_NOT_RESOLVE);
mPendingIntent = PendingIntent.getBroadcast(this, 0, identityIntent, 0);
Now the interesting part is that antiviruses for mobile phones claim to be able to protect us from this problem. I asked on StackExchange's Android forum, got an upvote, but no reply.
Antiviruses
Windows users would be all-too-familiar with viruses and antiviruses that "catch" and "destroy" them.
Antiviruses use two techniques:
1. Virus signatures: These are just a sequence of bytes that the antivirus searches for, which will be unique for a certain virus. The same way you do a string search. Programmers started creating viruses that were capable of encrypting and decrypting themselves (and thus hiding their signature) and capable of creating variants of their signature each time they encrypted or decrypted themselves. Next came polymorphic viruses which changed the signature of the encryptor and decryptor itself, each time it replicated.
2. Heuristics: The file being scanned is allowed to run in a special virtual environment (something like a sandbox) and it searches for virus-like behaviour (replication, overwriting files or hiding suspicious files).
I've blogged about killing viruses... http://nrecursions.blogspot.com/2014/05/destroy-windows-viruses-with-linux.html
... and even after I killed a virus, antiviruses in Windows would identify the file as a virus. That's because of Virus Signatures.
So can an Android Antivirus protect you from BroadAnywhere?
The websites of these antiviruses claim to protect you, but haven't offered any explanation of how they do it. They definitely can't peep inside an app and check the lines of code to see what kind of an Intent is being sent, but if the antivirus company maintains a very-frequently updated list of malicious apps, it might be able to warn you that an app you're about to install is harmful.
Question is, do they really do it? It'd require a dedicated team who would actively search for malicious apps and test them. Would a company do so much for free? Or would they make their money by tracking your phone and the data in it (given the high level of permissions that antivirus app's request)? It's a matter of trust.
Do you need an Antivirus at all?
The answer is "no". The average Android user (99% users) does not need an antivirus.
Google's lead engineer for Android security himself speaks of why an antivirus is un-necessary and what the more pressing concerns are. Like in Linux, where your system can get infected only if you deliberately give root access to a malicious program, the one way your phone can be susceptible to viruses or malware is if you decide to give an app elevated permissions on your phone.
So to stay safe, only install apps from trusted sources like Google Play and be a bit suspicious and do a followup of apps that ask for permissions that seem un-necessary. If you're careful, you won't need an antivirus. It's not just about data and security. Many apps gather data about you and your location. Your privacy is also important.
________________________________
Answer to a comment below: @Scott: I havent tried this yet, but from what I hear, even if your phone is rooted, an app can cause damage only if you give it permission to. So I would assume malware which exploits broadanywhere through another app would be able to do so only if you allow the app to execute those commands.
SuperSU available on Google Play is said to give you the ability to control which apps you want to run as root, which commands those apps run and even to be able to give you the ability to identify and stop malicious apps.
The Android forums can give you more info on this. Do post back on NRecursions if you have feedback to share! :-)
The best security you can have is in being aware of what you are installing and not connecting to unknown Wi-fi's. When in doubt, ask on the forums.
SuperSU available on Google Play is said to give you the ability to control which apps you want to run as root, which commands those apps run and even to be able to give you the ability to identify and stop malicious apps.
The Android forums can give you more info on this. Do post back on NRecursions if you have feedback to share! :-)
The best security you can have is in being aware of what you are installing and not connecting to unknown Wi-fi's. When in doubt, ask on the forums.