This year is off to a historically abnormal start. In the first quarter of each year we tend to experience a lull in malware, but the first quarter of 2104 has already yielded three brand-new Android malware families. Two of these new malware families exhibit behavior never before seen on the Android platform. And that's not all.
Security researchers have also uncovered two new vulnerabilities affecting Android that can result in some incredibly sensitive information being stolen. While Google patches these vulnerabilities the researchers are keeping the methodology under wraps. Once the details of these vulnerabilities are released we can be sure malware will quickly be developed to exploit them.
"This year we expected Android malware to increase in complexity and new types of malware to be developed," said Armor for Android CEO Chris Walbom, "Only a month into 2014 our predictions have already been confirmed." If this is in fact the annual malware "lull" we will be up to our ears in new malware by the end of the year.
This is the very first bootkit to grace the Android landscape and has the unique ability to re-install itself after being uninstalled. It takes some pretty tricky technological knowledge to successfully remove OldBoot malware from infected devices.
Discovered by Russian anti-virus firm Dr.Web this malware installs one of its modules to "the boot partition of the file system and modif(ies) the init script which is responsible for the initialisation of OS components." That is a very techy way of saying OldBoot malware installs part of its code to the Android OS start up process and the malicious code will be run every time the device is turned on.
The malicious startup code installs two other malware components; a file called libgooglekernel.so is installed as a library, and GoogleKernel.apk is installed as an application. These two components work together to open a back door from the device to a remote command and control (C&C) server. The C&C server issues commands back to the malware "most notably, to download, install or remove certain applications."
The two components libgooglekernel.so, and GoogleKernel.apk can be easily uninstalled, but because of the modified start up code the malicious components will be re-installed each time the device is restarted. Completely uninstalling OldBoot malware requires that the victim locate and remove a file called imei_chk or restore the infected device to factory settings.
Last year we saw the first case of Android malware used as an infection mechanism to install Windows malware on PCs. In 2014 we have seen just the opposite, the very first case of Windows malware installing Android malware on connected mobile devices.
The windows malware downloads two components to the infected computer; the Android Trojan called DroidPak, and a legitimate developer tool called the Android Debug Bridge (ADB). The windows malware then uses ADB to install the DroidPak Trojan to the connected Android device.
The DroidPak Trojan installs an Android banking Trojan on the infected device. This banking Trojan will attempt to uninstall legitimate banking applications and prompt the user to install fake versions of the same application which are designed to collect and steal the victim's online banking login credentials.
This Android/Windows malware combo was discovered in Korea. It's merely a matter of time before this malware become global.
This threat is up to the same old spyware tricks but also has a couple of interesting features. Firstly, it is not straightforward commercial spyware designed for untrusting significant others to monitor one another. The malicious code of this malware is packaged to a seemingly legitimate application and is downloaded unknowingly by the device user. This activity feels very much like cyber espionage but the actual motives remain unclear. Once installed it contacts a remote server and receives a specific list of target phone numbers to intercept all incoming phone calls and SMS messages.
Secondly this threat seems to be philosophically opposed to being analyzed. Trojan-Spy.HeHe will not execute any of its malicious activity if it detects if it is being run on an emulator (a tool commonly used for malware analysis). Only if the malware can detect a model number and IMSI (International Mobile Subscriber Identity) will this threat share its "gift" with the world.
Android VPN Vulnerability
VPN internet connections were the golden child of Android security professionals until suddenly they weren't. VPNs are designed to provide a encrypted, anonymous internet connection to protect sensitive data and ensure privacy. However, security researchers from Ben Gurion University have discovered a vulnerability in the Android OS that can be exploited to gain access to plaintext internet communications when using a VPN connection.
The proof-of-concept application these researchers have produced requires neither root-level permissions nor VPN permissions. In a demonstration video the researchers activated the PoC malware, correctly configured and activated a VPN connection, and watched as their supposedly secure communications were intercepted.
Google is working to patch this vulnerability but until the patch is released and has been installed on your device VPN connections cannot be considered secure on the Android platform. Please be aware this is an Android vulnerability not a VPN vulnerability. VPNs remain one of the best methods to provide a secure web browsing experience on all other platforms.
Touch-Screen Logging Malware
Keylogging malware has long since been a significant threat to PCs but mobile device have been moving away from hardware keyboards for quite some time. Touch-Screen logging malware is the evolution of keylogging malware for mobile devices.
Developed by Trustwave security consultant Neal Hindocha this proof-of-concept malware has a bright future in cyber espionage and targeted cyber attacks. The PoC malware logs the X and Y coordinates of a screen swipe or touch event and takes a screenshot of the device. The touch coordinates are then overlaid on the screenshot to see the exactly what the user is doing.
This PoC malware can be installed on both rooted Android and jailbroken iOS devices. If touch-screen logging malware is adopted by real malware developers it can be used to steal the victims' login credentials for all sensitive online accounts from banking and healthcare, to social media and email.
Android is far and away the favorite platform for mobile malware in much the same way Windows has been the favorite of PC malware for many years. As Android malware is becoming more complex the infections are becoming more difficult to remove. To help you avoid Android malware infections altogether keep these tips in mind:
- Always stay current with application and operating system updates. These updates often include patches for security vulnerabilities.
- Install and use anti-virus software on your mobile device, laptop and desktop. Cross-platform malware infections will continue to become more prominent.
- Research applications before you download. Avoid suspicious applications or applications from developers with little to no other web presence. Look for developer websites, contact email addresses, company social media accounts, etc.♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA