Written by: Oscar Abendan


Mobile devices have become “must have” in today’s technology-driven society. Because of the convenience, advance computing features, and impressive Web connectivity these offer, consumers and organizations alike are availing of mobile devices for both personal and business use. In 2010, Gartner noted a 31.8 percent increase in the sales of mobile devices, which reached 1.6 billion units.

As expected, cybercriminals are taking advantage of the popularity of mobile devices to conduct their money-making schemes.Below is a timeline of how mobile malware, in general, have evolved throughout the years:



Trend Micro particularly noted several threats targeting Google’s Android OS. We have seen several malware pose as legitimate Android apps in the Android Market and in other third-party app stores. In such attacks, users are tricked into downloading Trojanized apps onto their mobile devices. Once installed, these apps performed several malicious routines that most often led to information theft, the further download of other malware, or compromise.


How do users get these threats?

Trend Micro has reported several incidents wherein malware came disguised as Android apps. Samples of Android malware found in the wild include:
  • ANDROIDOS_DROIDSMS.A: Came disguised as Windows Media Player.
  • ANDROIDOS_DROISNAKE.A: Came in the form of a game known as Tap Snake.
  • ANDROIDOS_GEINIMI.A: Came in the form of Trojanized apps hosted in certain third-party app stores in China.
  • ANDROIDOS_ADRD.A: Comes in the form of a Trojanized wallpaper app.
  • ANDROIDOS_LOTOOR.A: Trend Micro’s detection for Trojanized versions of legitimate apps like “Falling Down”.
  • ANDROIDOS_BGSERV.A: Trojanized version of Android Market Security Tool, which was released to address the modifications done by AndroidOS_LOTOOR.A.

Other Trojanized apps that gathered information about the infected devices and that were found in the wild have been detected as:

Users may unwittingly download these applications from the Android Market and other third-party app stores and install these onto their mobile devices.


What happens once these threats are installed onto users mobile devices?


Malware that target Android-based mobile devices may affect users differently. Their effects can range from sending text messages without the users’ consent to actual information stealing. Based on our analyses, these malicious apps exhibit the following routines:

Detection Name

Routines

ANDROIDOS_DROIDSMS.A

Attempts to send text messages containing the string “798657” to premium-rate numbers using the infected device’s current default SMS Center (SMSC) by exploiting the Permissions function (android.permission.SEND_SMS). Upon further analysis, however, it failed to successfully run due to programming errors.

ANDROIDOS_DROISNAKE.A (aka Tap Snake)

Capable of sending an affected user’s GPS location via HTTP POST upon acceptance of its end- user license agreement (EULA).

ANDROIDOS_GEINIMI.A

Opens several ports and connects to specific URLs to receive and execute commands from a remote user. These commands allow the remote user to gather specific information and system properties from the infected device.

ANDROIDOS_ADRD.A

Gathers information like International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers from infected systems, which is then sent to a specific site. It also downloads an updated copy of itself when executed.

ANDROIDOS_LOTOOR.A (aka fake Falling Down)

Connects to specific sites to send and receive information from a remote user. It steals information like ClientInfo as well as IMEI and IMSI numbers from infected devices. It also downloads other malicious apps onto the infected devices.

ANDROIDOS_BGSERV.A (aka fake Android Market Security Tool)

Gathers information from an infected device, which is then sent it to a remote user. It also intercepts sent and received text messages and calls as well as downloads files and videos.

ANDROIDOS_SMSREP.A

Secretly forwards all incoming text messages to a remote user.

ANDROIDOS_FAKEP.A

Attempts to send text messages to premium-rate numbers.

ANDROIDOS_FSPY.A

Monitors an infected device’s GPS location, text and email messages, as well as calls. It also gives a remote user the capability to remotely listen to an affected user’s calls and to control an infected device via SMS.


How are users affected by this threat?


Apps like ANDROIDOS_DROIDSMS.A and ANDROIDOS_SMSREP.A were designed to send unauthorized text messages to known premium-rate numbers, which may lead to unnecessary and costly charges for affected users.

Apps like ANDROIDOS_SNAKE.A, ANDROIDOS_GEINIMI.A, ANDROIDOS_ADRD.A, ANDROIDOS_LOTOOR.A, ANDROIDOS_FAKEAP.A, and ANDROIDOS_FSPY.A puts affected users at risk of information theft.

AndroidOS_DROISNAKE.A, in particular, when used with another app known as GPS SPY can give out an affected user’s GPS location even if the former is not currently running on the infected device. Similarly, AndroidOS_FSPY.A monitors an infected device’s GPS location. Mobile devices infected with this malware are also prone to security breach, at these enable a remote user to listen in to an affected user’s calls and to control an infected device via SMS.

Users whose mobile devices have been infected with ANDROIDOS_GEINIMI.A are at risk of becoming part of a mobile botnet. Becoming so puts them at risk of losing installed apps on their mobile devices.

ANDROIDOS_ADRD.A was primarily designed as a click-fraud Trojan that can put affected users at risk of exorbitant charges.

Apart from information theft, ANDROIDOS_LOTOOR.A also roots infected devices. Rooting allows a remote user to gain root privileges on an infected device. This malware uses two well-known binaries, namely rageagainstthecage and exploid, to root infected devices. It is also capable of downloading and installing other apps onto infected devices without the user’s knowledge. Users who downloaded the Trojanized version of Android Market Security Tool aka ANDROIDOS_BGSERV.A are also susceptible to information theft.


What makes this attack noteworthy?


Google made its Android platform open to all developers to make it more attractive to customers, as this spells more choices. Unfortunately, this feature also makes it attractive to cybercriminals. All an interested developer needs to do is pay a US$25 registration fee then he/she can already upload to and sell apps on the Android Market.

Trend Micro chairman Steve Chang even commented on Android’s open policy. He said that this exposes the Android OS platform to more security threats, as hackers “can more easily understand the platform’s underlying architecture and source code.”

In 2010, Android OS overtook Apple’s iOS and RIM’s Blackberry OS to become the most preferred mobile platform in the United States. Security researchers have thus predicted that the former’s popularity will make it the natural target of other more complicated malware.



What are Trojanized apps? Where can users download these?


Trojanized apps are legitimate Android apps that cybercriminals maliciously altered to serve their own purposes. They download, modify, and upload legitimate apps to the Android Market or other app stores. These apps are usually free so more users are likely to download them onto their mobile devices.


Are Trend Micro users protected from this threat?


Yes. Trend Micro Mobile Security for Android™ protects mobile devices with Android OS by preventing the downloading of fraudulent or malicious Android application.



What can users do to prevent this threat from entering computers?


User vigilance remains key to prevent the above-mentioned from infecting users’ mobile devices. Before installing an app, double check what resources it seeks access rights to. Trojanized apps usually ask permission to access information that may not even be related to what these are. The cybercriminals behind mobile device attacks rely on the fact that users do not fully read through end-user license agreements (EULAs) before accepting them.



As much as possible, users should only download from trusted sources and known developers. Users must also read the “Application Permissions” enumerated before installing apps. Do not run and report an app if it does not need obtain permission for what it’s supposed to do.
Users whose mobile devices that have been infected with ANDROIDOS_DROISNAKE.A have two options—to uninstall the app or to stop SnakeService. To do the latter, follow these steps:

  1. Go to Settings > Applications > Running Service.
  2. Look for SnakeService and select Stop.


Expert Insights

"Due to the open architecture of the APK/dex (Android OS) executable, it is very easy for hackers to download an existing app, disassemble it, add malicious code, repackage-sign and redistribute. As the days go by this knowledge will (and may) be transferred from the experienced hackers to hacker wannabes and will possibly increase the number of Trojanized applications in the market." - Edgardo Diaz, Threat analyst

"The number of malware targeting mobile devices is expected to continuously rise. As such, users should remain vigilant. Download only from trusted sources and developers. “Application Permissions” are enumerated when installing applications so please do read these and report the application if you suspect that it does not need a permission to do something that it is requesting." - Karl Dominguez, Threat response engineer