In February 2014 there was a slight dip in malware activity. This could be due in part to the fact that February has fewer days than any other month, but in all reality, February has been the slowest month for Android malware since last July. We should prepare for Android malware to return to a face melting pace very soon, but let's enjoy this lull while we can.
January was uncharacteristically busy in terms of Android malware and February was keeping pace early in the month. About half way through February we see a substantial drop in daily malware activity. I, for one, have always imagined malware developers as a more of the lonely, cold-hearted type, but maybe I am typecasting these cybercriminals. It very well could be that malware developers, ever the romantics, took their significant others on a nice cruise following Valentine's Day and returned around the 21st to resume their illicit activities. Perhaps next year for Valentine's Day the Android security community should send out free cruise tickets to known malware developers and together they can all sail happily off into the Bermuda triangle.
Android malware developers may have taken a brief romantic sabbatical in February but there were still plenty of new developments in the underworld. In February we witnessed malware developers target trending events online and in Russia. We also saw the two more PC malware characteristics make the jump to the Android platform. Even a slow month is not a dull month when it comes to Android malware.
It was reported by NBC that the winter Olympics in Sochi were a hot bed for cyber crime. The report implied that all travelers attending the Olympics Games would encounter malware of some type just by connecting their device to the internet. The reality was less sensational but the threat to personal privacy was very real.
Russian culture does not regard privacy in the same way that American culture does. The U.S. Department of State issued the following warning to individuals traveling to Sochi.
Travelers should be aware that Russian Federal law (known by the Russian acronym SORM) permits the monitoring, retention, and analysis of all data that traverses Russian communication networks, including internet browsing, e-mail messages, telephone calls, and fax transmissions. All systems, whether wired or wireless, are subject to monitoring including telephone conversations (landline and cellular), fax, internet, e-mail, VOIP, and SMS/instant messaging. The information may be stored and analyzed for up to three years.
In addition to the over bearing Russian government any one attending the Sochi Olympics needed to be on the lookout for Android malware. Fake Wi-Fi networks, phishing emails, and malicious websites are more prominent in Eastern Europe. The NBC report made it seem as though it was inevitable that travelers devices would become infected which was somewhat misleading but uneducated, unsuspecting travelers could very easily fall victim to Android malware. Kaspersky Labs, who were appointed by the Russian government to protect travelers from cyber crime, stated that "visitors here will bring so many devices the hackers will have plenty of targets."
On February 8th the developer of the popular game Flappy Bird, Dong Nguyen, tweeted "I am sorry 'Flappy Bird' users, 22 hours from now, I will take 'Flappy Bird' down. I cannot take this anymore." Nguyen was true to his word and removed the Official Flappy Bird game from all apps stores. In the wake of the games removal new users were clamoring to see what all the fuss was about. Malware developers took advantage of Android users scrounging unfamiliar apps stores for the Flappy Bird game.
Flappy Bird malware is a prominent new form of SMS Trojan. This malware appears to be the legitimate game but when launched displays a warning that the "Trial Period" has ended and prompts the user to send an SMS message to activate the full version. If the user confirms this action an SMS message will be sent to a premium SMS service which will incur additional monthly charges to the user's mobile phone bill.
Android users should avoid downloading any version of the Flappy Bird game. There are several alternatives available that offer equally enjoyable game play and there are in browser versions of Flappy Bird that require no download.
This Trojan marks the first time we have observed Android malware using an .onion URL to host a command and control server. This is another PC malware characteristic that has made the jump to the Android platform.
Because the C&C server is hosted on an .onion domain it cannot be taken down. Onion domains are only accessible via the TOR (the onion router) network which uses a multitude of proxy servers, thus the server hosting the webpage cannot be traced and disabled.
While the durability of the C&C server is an advantage to the malware developer using an .onion domain requires a significant amount of additional code. Trojan.SMSOnion is another example of how Android malware is growing in complexity and more sophisticated cyber criminals are targeting the Android platform.
This is the first time we have witnessed Android malware using Facebook advertising as an infection method. Malware developers are using Facebook's "suggested post" advertising to promote malicious variations of popular applications such as YouTube, Candy Crush, Angry Birds, WhatsApp, and more.
The suggested post advertising method allows advertisers to target very specific groups of Facebook users. Malware developers are exploiting this by electing to display their malicious advertisements to Facebook users who are browsing on an Android device located in a specific region. This ensures that the malware advertisement will only be displayed to Facebook users who own a compatible device and live in a region where the malware will be effective.
Clicking on the "suggested post" advertisement will direct the victim to a malicious webpage that is designed to look like Google Play. The fake Google Play page promotes the malicious advertisement as popular and trustworthy to encourage the Android user to download the SMS Trojan.
If downloaded to the SMS Trojan will send a text message from the infected device to a premium SMS number (either 797024, 795964, or 797025). This unauthorized message will place a charge on the victim's mobile phone bill. The premium SMS service must send a response message to the infected device, the Trojan will attempt to intercept this message to prevent the victim from becoming aware of the unauthorized SMS activity. On older versions of the Android OS the Trojan will register a receiver that will monitor all incoming SMS messages to intercept and delete any message sent from the premium service numbers. On the newest version of the Android OS (4.4 KitKat) the Trojan cannot intercept and delete messages and takes a different approach and will briefly silence the device when a message is received and mark the message as read in an effort to prevent the user from discovering the message.
Android malware dominates the mobile malware landscape representing the vast majority of all mobile malware. Android users can take simple steps to avoid falling victim to this very real threat. Keep the following tips in mind while using your Android device to avoid an Android malware infection.
- Install and use an Android anti-virus application on your device. Stay current with antivirus application updates to ensure that you are protected from the most recent threats.
- Be sure to stay current with all other applications and Android OS updates as these often contain patches for recently discovered security vulnerabilities.
- Avoid downloading applications from untrustworthy sources.
- Review application permissions before downloading. Unnecessary application permissions, such as a calculator application requiring SEND_SMS permission, can be a red flag indicating malware.
- Read user reviews of applications before downloading and look for a strong web presence. Applications without a developer website, Facebook page, twitter account, or customer support number should be considered suspicious.♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA