Mobile devices have become “must have” in today’s technology-driven society. Because of the convenience, advance computing features, and impressive Web connectivity these offer, consumers and organizations alike are availing of mobile devices for both personal and business use. In 2010, Gartner noted a 31.8 percent increase in the sales of mobile devices, which reached 1.6 billion units.
As expected, cybercriminals are taking advantage of the popularity of mobile devices to conduct their money-making schemes.Below is a timeline of how mobile malware, in general, have evolved throughout the years:
Trend Micro particularly noted several threats targeting Google’s Android OS. We have seen several malware pose as legitimate Android apps in the Android Market and in other third-party app stores. In such attacks, users are tricked into downloading Trojanized apps onto their mobile devices. Once installed, these apps performed several malicious routines that most often led to information theft, the further download of other malware, or compromise.
How do users get these threats?
Trend Micro has reported several incidents wherein malware came disguised as Android apps. Samples of Android malware found in the wild include:
Users may unwittingly download these applications from the Android Market and other third-party app stores and install these onto their mobile devices.
What happens once these threats are installed onto users mobile devices?
Malware that target Android-based mobile devices may affect users differently. Their effects can range from sending text messages without the users’ consent to actual information stealing. Based on our analyses, these malicious apps exhibit the following routines:
Attempts to send
text messages containing the string “798657” to premium-rate numbers using
the infected device’s current default SMS Center (SMSC) by exploiting the
Permissions function (android.permission.SEND_SMS).
Upon further analysis, however, it failed to successfully run due to
ANDROIDOS_DROISNAKE.A (aka Tap Snake)
Capable of sending
an affected user’s GPS location via HTTP POST upon acceptance of its end-
user license agreement (EULA).
Opens several ports
and connects to specific URLs to receive and execute commands from a remote
user. These commands allow the remote user to gather specific information and
system properties from the infected device.
like International Mobile Equipment Identity (IMEI) and International Mobile
Subscriber Identity (IMSI) numbers from infected systems, which is then sent
to a specific site. It also downloads an updated copy of itself when executed.
ANDROIDOS_LOTOOR.A (aka fake Falling Down)
specific sites to send and receive information from a remote user. It steals
information like ClientInfo as well as IMEI and IMSI numbers from infected
devices. It also downloads other malicious apps onto the infected devices.
from an infected device, which is then sent it to a remote user. It also intercepts
sent and received text messages and calls as well as downloads files and videos.
all incoming text messages to a remote user.
Attempts to send
text messages to premium-rate numbers.
infected device’s GPS location, text and email messages, as well as calls. It
also gives a remote user the capability to remotely listen to an affected
user’s calls and to control an infected device via SMS.
How are users affected by this threat?
Apps like ANDROIDOS_DROIDSMS.A and ANDROIDOS_SMSREP.A were designed to send unauthorized text messages to known premium-rate numbers, which may lead to unnecessary and costly charges for affected users.
Apps like ANDROIDOS_SNAKE.A, ANDROIDOS_GEINIMI.A, ANDROIDOS_ADRD.A, ANDROIDOS_LOTOOR.A, ANDROIDOS_FAKEAP.A, and ANDROIDOS_FSPY.A puts affected users at risk of information theft.
AndroidOS_DROISNAKE.A, in particular, when used with another app known as GPS SPY can give out an affected user’s GPS location even if the former is not currently running on the infected device. Similarly, AndroidOS_FSPY.A monitors an infected device’s GPS location. Mobile devices infected with this malware are also prone to security breach, at these enable a remote user to listen in to an affected user’s calls and to control an infected device via SMS.
Users whose mobile devices have been infected with ANDROIDOS_GEINIMI.A are at risk of becoming part of a mobile botnet. Becoming so puts them at risk of losing installed apps on their mobile devices.
ANDROIDOS_ADRD.A was primarily designed as a click-fraud Trojan that can put affected users at risk of exorbitant charges.
Apart from information theft, ANDROIDOS_LOTOOR.A also roots infected devices. Rooting allows a remote user to gain root privileges on an infected device. This malware uses two well-known binaries, namely rageagainstthecage and exploid, to root infected devices. It is also capable of downloading and installing other apps onto infected devices without the user’s knowledge. Users who downloaded the Trojanized version of Android Market Security Tool aka ANDROIDOS_BGSERV.A are also susceptible to information theft.
What makes this attack noteworthy?
Google made its Android platform open to all developers to make it more attractive to customers, as this spells more choices. Unfortunately, this feature also makes it attractive to cybercriminals. All an interested developer needs to do is pay a US$25 registration fee then he/she can already upload to and sell apps on the Android Market.
Trend Micro chairman Steve Chang even commented on Android’s open policy. He said that this exposes the Android OS platform to more security threats, as hackers “can more easily understand the platform’s underlying architecture and source code.”
In 2010, Android OS overtook Apple’s iOS and RIM’s Blackberry OS to become the most preferred mobile platform in the United States. Security researchers have thus predicted that the former’s popularity will make it the natural target of other more complicated malware.
What are Trojanized apps? Where can users download these?
Trojanized apps are legitimate Android apps that cybercriminals maliciously altered to serve their own purposes. They download, modify, and upload legitimate apps to the Android Market or other app stores. These apps are usually free so more users are likely to download them onto their mobile devices.
What can users do to prevent this threat from entering computers?
User vigilance remains key to prevent the above-mentioned from infecting users’ mobile devices. Before installing an app, double check what resources it seeks access rights to. Trojanized apps usually ask permission to access information that may not even be related to what these are. The cybercriminals behind mobile device attacks rely on the fact that users do not fully read through end-user license agreements (EULAs) before accepting them.
As much as possible, users should only download from trusted sources and known developers. Users must also read the “Application Permissions” enumerated before installing apps. Do not run and report an app if it does not need obtain permission for what it’s supposed to do.
Users whose mobile devices that have been infected with ANDROIDOS_DROISNAKE.A have two options—to uninstall the app or to stop SnakeService. To do the latter, follow these steps:
Go to Settings > Applications > Running Service.
Look for SnakeService and select Stop.
"Due to the open architecture of the APK/dex (Android OS) executable, it is very easy for hackers to download an existing app, disassemble it, add malicious code, repackage-sign and redistribute. As the days go by this knowledge will (and may) be transferred from the experienced hackers to hacker wannabes and will possibly increase the number of Trojanized applications in the market." - Edgardo Diaz, Threat analyst
"The number of malware targeting mobile devices is expected to continuously rise. As such, users should remain vigilant. Download only from trusted sources and developers. “Application Permissions” are enumerated when installing applications so please do read these and report the application if you suspect that it does not need a permission to do something that it is requesting." - Karl Dominguez, Threat response engineer