Figure 1. Certificate of the known server
Figure 2. Information is posted via HTTPS to the serverKnown public services - Android malware can also take advantage of known public services for attacks. Based on our analyses, three types of application services are frequently exploited by Android malware: e-mail over SSL, Google Cloud Messaging (GCM) for Android, and popular social networks. By using known public services based on SSL, attackers can launch command-and-control (C&C) attacks easily and without calling attention to themselves. The Abuse of Known Public Services We have observed several Android malware exploit the aforementioned public services: Use of email - ANDROIDOS_GMUSE.HNT pretends to be a file manager app. This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address.
Figure 3. Snippet of code including the Gmail accountGoogle Cloud Messaging - ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the stolen data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging.
Figure 4. Malware uses Google Cloud Messaging to track current locationPopular social networks - ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL.
Figure 5. ‘this.WILLIAM’ contains the crawled stringsThe SSL (Dis)Advantage There are several possible reasons why cybercriminals are using SSL. Compared to plaintext transmission, data sent through SSL cannot be easily uncovered. Some dynamic analysis methods based on TCP traffic monitoring may not work well. Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices. We have notified Google about this issue.