Experts regularly announce one or the other file storage as a new base for hacker attacks. This is an actual problem, and in theory the owners of these services should deal with it. Therefore, I decided to do a little research, create accounts in well-known cloud services and check the effectiveness of anti-virus protection.
Attention! Spreading malware is a criminal offence.
The actions described below were not intended to distribute malware and harm anyone. During the experiments, not a single file left the private disk space allocated for test accounts. None of the files have been published in any way. Not a single malicious program was used for its intended purpose. No computer system or user was affected. All malicious files were destroyed. All the events described are the product of the imagination of the author of the text and did not take place in reality.
The object of research will be a dozen repositories, the names of which I remembered in the first place:
- Google Drive
- Amazon Drive
- Yandex Disk
- Dropbox
- Box
- Proton Drive
- iCloud
- Mail.ru cloud
- OneDrive
- Mega
I decided to use the web versions of these services to upload files and created a new account in each of them.
Sample preparation
Let’s see what the world’s virus industry has to offer, since information security specialists collect and regularly update collections of malware. To start the experiment, the APT Collection for 2021 from the vx-underground portal is quite suitable . This is a 3.5 GB archive of malware that was discovered during the investigation of various targeted attacks on the corporate sector. I sorted them by time and took the 50 most recent samples.
Very evil things got into this sample, for example:
- Hello Kitty/FiveHands is the latest version of the famous ransomware discovered in January 2021. It uses vulnerabilities in SonicWall products to penetrate internal company networks (sample 2021.10.28).
- FiveSys is a rootkit with a valid Microsoft digital signature that slips an auto-configuration script into browsers and redirects Internet traffic to an attacker’s proxy server. By the way, at the same time it blocks the download of drivers from other hacker groups (sample 2021.10.20(1)).
- PseudoManuscrypt is a multifunctional malware that steals VPN connection data, logs keystrokes, takes screenshots, extracts data from the clipboard and operating system logs, and so on. Before the first detection, it managed to infect more than 35,000 computers in 195 countries around the world (sample 2021.12.16).
The files themselves have long names, so for simplicity, I renamed the samples according to the names of the folders in which they were located, and made three copies:
- original malicious files, without additional packaging;
- the same files placed in zip archives with a medium compression level;
- the same files into zip archives with a medium compression level, closed with a nine-digit password.
It’s worth mentioning that .zip does not hide the names of zipped files, even if they are password protected. This format also reveals the CRC checksums of archived files. In theory, this data can be used to detect malware, which is why malware researchers typically use 7-Zip to transfer files. It hides more information about the contents of the archive. At the same time, the villains actively use various obfuscation methods, but this is a simple basic experiment, so I did not further complicate the work of antiviruses.
Control check
Most of the samples in this collection are familiar to antivirus solutions and cause multiple positives when uploaded to VirusTotal.
Sample | Password protected archive (number of hits) | Archive | original file |
---|---|---|---|
2021.12.31 | 0 | 49 | 60 |
2021.12.30 | 1 Fortinet | 20 | 31 |
2021.12.28 | 1 Fortinet | 4 | 4 |
2021.12.17(1) | 0 | 2 | 2 |
2021.12.17(2) | 1 Fortinet | 37 | 42 |
2021.12.16(1) | 0 | 31 | 36 |
2021.12.16(2) | 0 | 38 | 45 |
2021.12.16 | 0 | 45 | 53 |
2021.12.15(1) | 1 Fortinet | 29 | 27 |
2021.12.14 | 0 | 31 | 34 |
2021.12.09 | 1 Fortinet | 45 | 56 |
2021.12.08 | 0 | 35 | 28 |
2021.12.07 | 0 | 0 | 0 |
2021.12.07(1) | 0 | 17 | 21 |
2021.12.06 | 0 | 30 | 34 |
2021.12.04 | 0 | 19 | 27 |
2021.12.03 | 0 | 38 | 46 |
2021.12.01 | 1 Fortinet | 30 | 32 |
2021.12.01(1) | 1 Fortinet | 36 | 45 |
2021.11.30 | 0 | 33 | 35 |
2021.11.29 | 0 | 37 | 36 |
2021.11.29(1) | 0 | 28 | 25 |
2021.11.23 | 0 | 23 | 29 |
2021.11.22 | 1 Fortinet | 43 | 41 |
2021.11.18 | 1 Acronis (Static ML) | 35 | 38 |
2021.11.17 | 1 Fortinet | 36 | 45 |
2021.11.10(2) | 0 | 30 | 31 |
2021.11.10(1) | 0 | 33 | 30 |
2021.11.08 | 0 | 42 | 52 |
2021.11.07 | 1 Fortinet | 40 | 46 |
2021.11.07(1) | 0 | 0 | 2 |
2021.11.03 | 1 Fortinet | 44 | 52 |
2021.11.02 | 1 Fortinet | 27 | 31 |
2021.10.28 | 0 | 0 | 0 |
2021.10.28(1) | 0 | 22 | 20 |
2021.10.27 | 1 Fortinet | 41 | 41 |
2021.10.27(1) | 0 | 48 | 50 |
2021.10.26 | 0 | 44 | 52 |
2021.10.26(1) | 0 | 33 | 37 |
2021.10.20(1) | 1 Fortinet | 41 | 45 |
2021.10.19 | 0 | 26 | 24 |
2021.10.19(1) | 1 Fortinet | 45 | 52 |
2021.10.18 | 1 Fortinet | 45 | 52 |
2021.10.14 | 0 | 30 | 33 |
2021.10.12 | 0 | 42 | 48 |
2021.10.11 | 1 Fortinet | 35 | 35 |
2021.09.30 | 0 | 30 | 31 |
2021.09.28(1) | 0 | 39 | 42 |
2021.09.23 | 0 | 38 | 44 |
2021.09.16 | 0 | 40 | 52 |
Samples packed in passwordless archives are slightly worse on average, but password-protected zip archives are practically not recognized. Only the anti-virus engine from Fortinet can cope, which correctly classifies individual suspicious samples despite password protection. For example, he accurately identified spyware from the Kimsuky hacker group .
Only the Hello Kitty/FiveHands ransomware (sample 2021.10.28) and one of the exploits used by FIN13, a cybercriminal who has been systematically attacking various organizations in Mexico since 2017 (sample 2021.12.07), have gone completely unnoticed. We will still observe them, but now it’s time to fill the cloud storage.
Google Drive
I could not find any information about which antivirus solution is responsible for protecting Google Drive. Be that as it may, it checks all uploaded files, the size of which does not exceed 100 MB. True, the results of his work are not immediately visible.
I started the experiment by downloading password-protected images, and none of these files aroused Google’s suspicions either 24 hours or two weeks after the download.
The second set of files – simple archives with samples – were also uploaded to the Disk without any problems. Not an hour later, not 24 hours later, the vault did not raise an alarm. An unlucky hacker in my place would be delighted, but it’s too early to rejoice. If you try to generate a link to a file, a warning flag appears. The same thing happens with simple, unarchived samples.

If you don’t touch the file, it can lie on the Disk for a long time without being flagged as a violation of the service rules. Google Drive does not display a warning about the danger immediately, but upon the first interaction with the object. Perhaps it is at this moment that the scanner is triggered. After that, the mailbox quickly fills with warnings.

Interestingly, when downloading, Google simply warns of the danger, and the flag next to the file does not appear until you try to create a link.

As a result, it turned out that password-free archives do not affect the accuracy of the local anti-virus scanner. Google Drive did not recognize only 5 samples in both batches. The exploit from FIN13 and Hello Kitty/FiveHands passed undetected just like the Flagpro malware (sample 2021.12.28).
Amazon Drive

Amazon has announced that it plans to shut down the public cloud within a year, but as long as it’s available, it looks like hackers can easily use the platform to distribute malware. The experiment lasted two weeks and Amazon Drive did not find any of the 150 samples.
Yandex Disk
According to an article from Hacker magazine , in 2010 Yandex used solutions from Doctor Web in its infrastructure. Since then, a lot of water has flowed under the bridge, but the proprietary file storage is still protected. “All files up to 1 GB in size created, uploaded or already stored on Yandex Disk are scanned by the Yandex Disk antivirus program” . Moreover, apparently, the check is performed immediately after the file is loaded. The only question is how well this protection works.

Password-protected archives loaded without problems and even after 14 days remained unnoticed, but this was expected. Much more interesting is the situation with regular archives and unpacked samples. Immediately after downloading the archived samples, Yandex Disk recognized and highlighted 16 malware with red icons. The rest of the files, including PseudoManuscrypt and Hello Kitty/FiveHands, successfully passed the check and did not arouse any suspicions until the end of the experiment. Anyone could easily download them from public links.

The same set of unpackaged malware caused only 15 detections. For some reason, the script from the WinPEAS set (sample 11/21/17) looked more suspicious in the archive than without it. However, he is not alone. In further experiments, there were other similar examples. It looks like a feature of the Yandex Disk anti-virus engine.
Dropbox
Until a few years ago, Dropbox did not have built-in antivirus protection, although users suggested that it be implemented . At first, it seemed to me that the situation had not changed.

The password-protected archives downloaded without hindrance and after 24 hours were still in place. The same thing happened with the other two batches of samples, but the most interesting thing happened after creating a link to one of the files. Dropbox generated the URL, but at some point withdrew the link and about an hour later sent this notification:

After clicking on the button, access to the function was returned, but an attempt to create a link to another one of the samples led to a second ban. This time it was not so easy to remove the restriction.

Dropbox offered to contact support, but contacting them from a free account is at least difficult. The chatbot does not understand what they want from it and refuses to invite live people to the chat. Perhaps they could help on the forum, but I did not understand. All the same, I would not have seen the reaction of the administrator, who looked at the contents of my disk.

With all this, problematic files in Dropbox are not marked in any way, so I could not calculate how many samples were recognized by the built-in protection. Perhaps this can be called a flaw. It is easy to imagine a situation in which a user accidentally uploads a malicious file to the cloud and tries to share it. Then he encounters restrictions, does not understand anything, tries to share again and finally loses the ability to share files.
Box

The creators of Box promote a paid virus scanner , but public free accounts don’t protect anything in my experience. For two weeks, none of the 150 samples in the archives and without, was found. A basic defense wouldn’t hurt. By not checking free storage, Box puts its enterprise customers at risk first.
Proton Drive

The new cloud storage from the creators of encrypted email made me download samples in three passes (it was too little space inside). Its creators rely on privacy and do not seem to check uploaded files in any way either. For 7 days, not a single sample was marked as malicious. However, you can come up with excuses for Proton. The vault is still in beta testing, and scanning user files doesn’t go well with betting on privacy and encryption.
iCloud

There are no viruses on Macs! Probably, this idea calms the Cupertino people so much that they did not connect the antivirus to iCloud. None of the samples were found during the experiment. Malicious files were freely downloaded from the generated links.
Mail.ru cloud
Mail (or is it VK?) writes that the files in the Cloud are protected by a solution from Kaspersky Lab. They even talked about how this antivirus scanner works on Habré .

Most likely, a lot has changed since then, but they still use the scanner developed in the Lab, and this solution proved to be worthy. Samples in password-protected archives were not detected, but in the case of other malware, the situation is better than, for example, in Yandex Disk.

Cloud Mail.ru checks files after downloading and immediately flags suspicious ones. Cloud Anti-Virus immediately recognized 40 archived samples, and a few minutes later added another one to the list. Among ordinary files, 41 immediately received the status of suspicious. Only 9 samples remained unrecognized, including the already mentioned Flagpro , the FIN13 exploit, Hello Kitty/FiveHands, and the MonPass CA client application with a built-in backdoor (sample 2021.12.15(1)). Google Drive marked it as malicious.

As a result, the Cloud prohibits the sharing of dangerous files and blocks their sending by e-mail through the built-in quick send dialog, but there are no restrictions on working with other files in the storage.
OneDrive
And now the highlight of our program is OneDrive. Not least because of this service, Microsoft’s servers have been considered ” the world’s best malware host ” for many years .

For two weeks, 150 viruses were stored in the cloud and the service showed no signs of concern. It seemed that the company was not taking any measures to protect against the spread of malware. It was possible to create a link to any of these files, moreover, a download dialog was available via the link. However, I noticed that the “download” button didn’t always respond to clicks: no warnings or explanations, it just didn’t work. I realized that this was not a bug only after I tried to upload an entire folder at once.

Instead of some samples, it contained txt files with virus warnings. At the same time, there was not a single hint in the web interface that OneDrive detected malicious files, although it would be logical to warn the user about this.
Total: OneDrive recognized the danger in 31 samples from the first and second sets, but did not find anything suspicious in the password-protected archives.
Mega

In the case of Mega, the result is a little predictable – this file hosting has long been chosen by malware distributors, and this is not surprising. The absence of anti-virus checks and the interface for batch creation of public links make it very convenient for all sorts of dubious personalities.
Summary statistics
When I started researching, I expected to collect rich statistics on the number of detected malware and make comparisons. In reality, Mega, Amazon Drive, iCloud, Proton Drive, Box immediately dropped out of the competition. 5 repositories out of 10 did not detect a single dangerous file during the 14 days of the experiment. To get a slightly clearer picture, I decided to increase the number of samples loaded. To do this, I took, packed and poured another 50 fresh samples from the Bazaar collection from July 2022. These are simpler malware that freely circulates on the network. Also, some anti-virus engines can unpack archives to scan the contents if they find a password nearby. So I added a fourth sample package, where in each zip folder there is a txt file called “password” and the corresponding contents.
Here’s what happened:
Google Drive | Mail.ru cloud | OneDrive | Yandex Disk | Dropbox | Mega, Amazon Drive, iCloud, Proton Drive, Box | |
---|---|---|---|---|---|---|
APT Collection – just files | 45 | 41 | 31 | 15 | ? | 0 |
APT Collection – Archives | 45 | 41 | 31 | 16 | ? | 0 |
APT Collection – encrypted archives | 0 | 0 | 0 | 0 | ? | 0 |
APT Collection – encrypted archives + password | 0 | 0 | 0 | 0 | ? | 0 |
Bazaar Collection – just files | 49 | 43 | 39 | 29 | ? | 0 |
Bazaar Collection – Archives | 49 | 43 | 39 | 31 | ? | 0 |
Bazaar Collection – encrypted archives | 0 | 0 | 0 | 0 | ? | 0 |
APT Collection – encrypted archives + password | 0 | 0 | 0 | 0 | ? | 0 |
Built-in protection only works in Google Drive, Yandex Disk, Mail.ru Cloud, OneDrive and Dropbox. However, Dropbox doesn’t flag infected files, so it’s unclear how good its antivirus engine is.
It can be said that the anti-virus scanner built into Google Drive turned out to be the most accurate, but no cloud storage can accurately recognize the danger. It is also worth noting that Yandex Disk does a worse job of finding utilities that are used for targeted attacks, and generally shows itself weaker than its competitors.
conclusions
As you can see, not all clouds are equally well protected from viruses. More precisely, half of them are completely unprotected. However, I cannot say that the absence of such protection is an unequivocal evil. Not all users want their files to be studied under a magnifying glass by the algorithms of corporations. This is not only a technical problem, but also, in part, an ideological one, and this only makes it more acute.
It seems that a scanner that checks only published files could be a good compromise, and for the rest it turns on on demand, but in this form, anti-virus checks are not implemented in any of the listed services. So for now, you have to choose between protection and privacy. You also have to feed downloaded files to VirusTotal and be especially suspicious of password-protected archives. So it goes.