As sure as the sun will shine and the summer will come, Android malware flourished in the second quarter of the year. More scams, vulnerabilities and threats were discovered in April than any other month so far this year.
The Heartbleed vulnerability is likely the most publicized threat discovered in April, and affecting nearly two thirds of the web and more than 50 million Android devices it is also likely the most dangerous. But perhaps Heartbleed is not the most sophisticated threat of April, that title befits the newest member of the OldBoot malware family.
The Heartbleed vulnerability and OldBoot.B variant are the major threats of the month, both will be discussed in the greatest detail, though I will attempt to maintain some brevity as there's a lot to cover.
As always, for each threat described herein the title links to a full article which discusses the threat in greater detail. If anything is unclear please refer to the source article and feel free to email me (James@ArmorForAndroid.com) or find me on the Twitterverse (@James_AfA) if you have any questions!
Virus Shield was a pretty brazen scam, the concept was: create a fake Android antivirus application that does nothing to protect the device, and sell it on Google Play for $3.99. The price point may seem low but in a little more than a week Virus Shield was downloaded upwards of 30,000 times, netting more than $120,000 for the fake apps developer "Deviant Solutions."
The Virus Shield app was not inherently malicious, in reality it did next to nothing. The apps main function was to perform a fake scan and display a progress icon. Once an allotted amount of time passed the app changed 'X icons' to '✓ icons,' indicating the device was now protected. No scan took place and no protection was provided.
Sub-reddit /r/badapps exposed the scam and Google quickly pulled the app from the market. Google is also offering a refund to affected customers in the form of a $5 promotional credit to purchase any other digital content on Google Play.
Virus Shield is a reminder that Google Play is not infallible and malware does sneak past security measures to affect a large number of users.
In early April information security guru Brian Krebs discovered an Android botnet working in association with a desktop banking Trojan designed to steal victims' banking usernames, passwords, and two-factor authentication passcodes. Two-factor authentication passcodes are sent via SMS messages to the phone number listed on the bank account and are designed as an extra layer of security to prevent unauthorized access to financial information.
The Android portion of this threat is disguised as a security application for numerous banks in the Middle East (previously Trojan campaigns also exploited Australian and Spanish banks). The fake security application steals SMS messages from victims' devices and forwards the stolen messages to the botnet server.
The good news is the Android malware associated with this botnet was discovered last year and is widely detected by Android antivirus applications. Anyone using an antivirus app on their Android device will be altered to the threat before any information can be stolen. The bad news is this Android botnet has already infected over 2,700 devices and stolen 28,000+ text messages.
Heartbleed is the vulnerability that has been abuzz in the news this month, and for good reason. This vulnerability can be used to expose the encrypted data of OpenSSL connections, revealing to an attacker usernames and passwords, credit card data, and most dangerous of all encryption keys (encryption keys are used to encrypt and decrypt information being transmitted via SSL/TLS).
The Heartbleed vulnerability is brilliantly described by Zulfikar Ramzan in a video hosted on TechCrunch.com. The eight minute video gives a high level explanation of the vulnerability, this is a summary so if you have any further questions please refer to Ramzan's video.
Secure OpenSSL connections are kept alive by something called a "heartbeat request," this request ensures that both computers are connected and responsive. A heartbeat request includes a payload (user name, password, and other sensitive data) and information about the size of the payload. When the heartbeat request is sent from one computer to another the second computer responds with the payload information from its memory and some "padding." By exchanging this information the two computers can confirm that they are still connected.
The Heartbleed vulnerability regards how an attacker can spoof a heartbeat request and receive the payload. An attacker crafts a fake heartbeat request with a very small payload size, but includes information stating the payload is much larger than it is. The second computer responds with the payload information from the fake heartbeat request, but the fake payload does not match the fake heartbeat request size. To fulfill the fake heartbeat size the second computer adds information from its memory until the payload size is correct. The attacker then receives the payload as a response including information that he/she should not have been able to access.
The heartbleed vulnerability affects certain versions of OpenSSL connections which are widely used across the internet; reportedly two thirds of the internet uses OpenSSL. Android version 4.1.1 is affected by Hearbleed. This version of Android is among the most commonly used, approximately 33% of all Android devices operate on a version of 4.1. The heartbleed vulnerability and the disastrous fragmentation within the Android OS left an estimated 50 million Android devices vulnerable to attack.
Social engineering is the dubious trick that email spam relies upon. Most of us know the Nigerian prince offering us millions of dollars isn't real, nor are internet email lotteries distributing money to random email addresses. But these scams must work on some level or they would cease to exist. Now we are encountering more clever email spam campaigns distributing Android malware, and they will catch some recipients unaware.
From a normal desktop/laptop computer the spam links lead to pharmaceutical websites, a common spam technique. But from Android devices the spam links are directed to a slightly different domain where a variant of the Android "NotCom" Trojan is automatically downloaded to the device. NotCom Trojans are capable of receiving commands from a remote command and control (C&C) server.
The Android malware being distributed is likely to change between email spam campaigns. NotCom is undoubtedly unwanted but there are much more dangerous threats that could be distributed in the future. A general rule to keep in mind is that if you didn't go out looking for an app, don't install it. If a website or advertisement randomly appears suggesting you download, or automatically starts downloading, an application it is probably best to avoid installing the pushy application.
This new variant of the OldBoot malware is the most sophisticated Android malware discovered to date, and is as dangerous as Heisenberg visiting a nursing home. OldBoot.B is the evolution of the first Android bootkit called OldBoot. Both of these threats are remarkably complex but OldBoot.B truly takes uncharted steps into Android malware territory.
The OldBoot malware family injects malicious code into the Android operating system and modifies the start-up process to execute its own code each time the device is rebooted. The malicious start-up code extracts and installs two files (libgooglekernel.so and GoogleKernel.apk) that are used to open a backdoor from the device to a remote command and control (C&C) server. The C&C server can then instruct the malware to install additional malware, with endless malicious capabilities, onto the device. Because the malicious OldBoot code is injected into the Android startup code this threat is exceedingly difficult to remove. If the two malicious files (libgooglekernel.so and GoogleKernel.apk) are uninstalled from the device they will be reinstalled each time the device is rebooted.
OldBoot.B, the newest evolution of the OldBoot malware family, and it goes much further than its predecessor. OldBoot.B can disable or uninstall antivirus applications to prevent detection. This variant hijacks the device install/uninstall process and implants a custom file within the OS that allows it to prevent applications from being uninstalled. As final proof of its position at the forefront of Android malware, OldBoot.B uses Stenography(the practice of hiding messages within pictures). OldBoot.B hides malicious code within image files included in the application package. The concept of stenography is ancient, but the practice of using stenography in Android malware is and advanced concept.
The most common form of Android malware is the SMS Trojan family. These threats send text messages from infected devices to premium SMS service numbers to incur illicit charges on victims' mobile phone bill. The predecessors to modern SMS Trojans often targeted one country at a time, but now SMS Trojans have developed to target multiple countries at once. Kaspersky researcher Roman Unuchek has been monitoring the development of the SMS Trojan family and recently discovered an SMS Trojan targeting "users in 66 countries, including the US." Modern SMS Trojans are more robust and continue to dominate the Android malware landscape.
Guess who's back, back again. CryptoMiner's Back, tell a friend (unlicensed reference to Eminem's 2002 single Without Me. Hope you enjoyed that). Last month we brought you news about CryptoMiner malware on Google Play secretly mining cryptocurrencies in the background of infected devices. Well guess who's back with a different name. The new form of CryptoMiner, dubbed BadLepricon by security firm Lookout, utilizes the device processor for cryptocurrency mining pools. Unlike the original CryptoMiner malware this new variant kindly takes steps to protect the device hardware and will only execute the illicit cryptocurrency mining activity when the device has 50% battery life or more. BadLepricon is polite Android malware, but is malware all the same.
In the realm of computers the shine has long since worn off worm-style malware, it no longer has the new malware smell. But in the Android world world worm-style malware is a noteworthy development.
A new worm-like threat called Worm.Samsapo will attempt to spread by sending malicious SMS messages to every contact on an infected device. These malicious SMS messages contain a link to download the worm malware and ask the recipient in Russian "Is this your photo?" Presumably the malicious link leads to a picture but any victim unlucky enough to click the link will find the worm-like malware will automatically begin downloading.
Once installed on a device Worm.Samsapo will again attempt to spread by sending malicious text messages. This threat steals personal information, phone numbers, and text messages and uploads the stolen information to a remote server, and can also send SMS messages to premium SMS services to incur additional charges to the mobile phone bill.
Protect Your Android Device & Yourself
As long as there are cyber-criminals, there will always be Android malware. There is no way to defeat Android malware outright, but we can protect ourselves from it. Using an Android antivirus application is essential to device security, but knowing how to use your device safely is equally important. Here are a few tips to keep in mind when using your Android device to keep yourself and your personal information safe and secure.
- Be skeptical! Always research an application and developer prior to downloading and installing an app. Look for a customer service phone number or email address and visit the developer's social media page to establish credibility.
- Avoid drive by downloads. If a website or advertisement drops a newly downloaded app on your device, do not install that application.
- Stay up-to-date with application and operating system updates. Updates often include security patches to make your device more secure.
- Install and USE an antivirus application on your device! Antivirus applications alert you to security concerns you were not aware of.♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA