Android malware was a mixed bag in March. New threats were developed from old and new vulnerabilities alike. A brand new malware development tool was discovered for sale on the underweb, and somehow (exactly how remains unclear) cybercriminals have even been able to install malware on devices before they were shipped to customers.
Early in the month of March Android malware was continuing at February's slow pace, but mid month the tempo changed. Around St. Patrick's Day and the beginning of March Madness Android malware took a turn for the surreal. Daily malware activity surged and dangerous new threats were frequently discovered.
The total number of newly discovered Android threats grew from February to March. Although the growth was small, it is an indication that the annual first quarter lull of Android malware has ended.
Android is the most popular smartphone platform worldwide and this popularity is attracting a more sophisticated type of cyber criminal. We have witnessed an immigration of cybercriminals over the past few months and this injection of new blood into the Android malware talent pool has led to these recent developments. In March these consummate cybercriminals have spent time developing more advanced Android threats and discovering previously unknown vulnerabilities in the Android operating system.
Early in March an Android user complained to antivirus company Marble Security that their product was wrongly detecting a preinstalled Netflix application as malicious. Obviously concerned about a false positive detection affecting a large number of users, Marble Security CTO and Founder David Jevans ordered an investigation be conducted. According to Mr. Jevans, they found that the preinstalled application was not made by Netflix at all and was "sending passwords and credit card information to Russia."
The Trojan Netflix applications were preinstalled on six Samsung models, three Motorola models, two Asus models, and three models by three other manufactures. Samsung was the only company who responded to requests for comment and said, "(I)f there is a fake Netflix app on the devices, it is something that was not preloaded by Samsung or U.S. carrier partners." Netflix also declined to comment.
This issue resurfaced later in March as Kaspersky Lab Expert Dong Yan exposed an ongoing case of preinstalled malware in China. This malware is preinstalled on devices by a company called Goohi Alliance. The Goohi Alliance provides an application called "Datang fairy artifact" which has already been preinstalled on more than 46 million devices. Yan explains that this preinstalled malware steals a trove of sensitive information, including call logs, from the device and silently downloads and installs additional applications that will earn money for the Goohi Alliance depending on how many applications are installed. The Goohi Alliance are the developers and profiteers of this malware, but exactly who is installing it on Android devices remains unclear
Google Play's application review system, Google Bouncer, is far from infallible and another SMS Trojan has snuck by, this time wearing night goggles. Camara Vision Nocturna is a Spanish SMS Trojan that steals user account information and sends SMS messages to 797080. The premium SMS service also appears to be based in Spain and charges €1.45 per message and a maximum of €36.25 per month to the victim's mobile phone bill. Victims of this SMS Trojan may be able to recoup some of their stolen money by contacting the offending premium SMS service by phone (No. 902-501-765) or by email (firstname.lastname@example.org).
Android malware made easy and cheap. Dendroid is a Remote Access Toolkit for the Android platform that allows inexperienced cybercriminals to create very powerful Android Trojans with only a few clicks.
Dendroid is sold for $300 USD on the underweb by an individual known only as "Soccer." This powerful malware tool allows potential cybercriminals to browse popular Android applications and select which APK they wish to use as a Trojan. Dendroid does all the hard work and packages the malicious code to the APK to create a brand new Trojan. Dendroid crimeware advertises that it can create Android Trojans capable of all of the following illicit activities:
Dendroid creates incredibly powerful Trojans that can turn any Android device into a mobile bot, equally concerning is the ability for these Trojans to evade Android market security measures designed to detect and reject malware. Dendroid Trojans have been published on nearly all Android markets, including Google Play.
A vulnerability has been discovered in Android OS versions 2.3, 4.2.2, and 4.3 that allows a malicious application to "brick" an Android devices (brick is a term commonly used to describe an Android device damaged beyond repair, making it about as useful as a brick). The secret trick to bricking an Android device is using really, really long activity names, 380K characters or longer.
Android applications complete "activities," and each activity has a label. If an activity label is set to a value of 387,000 characters or longer it will trigger the vulnerability and cause the device to reboot. If the malicious application has been granted the REBOOT permission (which means the application is required to be able to reboot the device) it will send the device into an endless loop or reboots, turning an expensive smartphone into an expensive paperweight.
Unfortunately, if normal Android users have fallen victim to this vulnerability they must use the boot loader recovery fix, which will reset the device to factory settings and all information (photos, contacts, etc) will be lost. Android users who have enabled developer privileges on their devices can use ADB to remove this type of malicious application.
Late in March, TrendMicro discovered a series of applications on Google Play that secretly hijack the processing power of the infected device to mine for some of the lesser well-known cryptocurrencies: Dogecoin, Litecoin, and Casinocoin. These Trojans made their way onto Google Play where one million to five million Trojan apps were downloaded.
Unlike most Android Trojans, this threat is not interested in stealing the victim's information or money. CryptoMiner is only interested in using the infected device as part of a mobile botnet to harness processing power for mining activities. However, the malware authors make no effort to protect the device from overloading and this malware commonly leads to overheating batteries, poor battery life and difficulty charging the device. This malware poses a very real threat of causing irreparable damage to the infected device.
Android malware dominates the mobile malware landscape representing the vast majority of all mobile malware. Android users can take simple steps to avoid falling victim to this very real threat. Keep the following tips in mind while using your Android device to avoid an Android malware infection.
- Install and use an Android anti-virus application on your device. Stay current with antivirus application updates to ensure that you are protected from the most recent threats.
- Be sure to stay current with all other applications and Android OS updates as these often contain patches for recently discovered security vulnerabilities.
- Avoid downloading applications from untrustworthy sources.
- Review application permissions before downloading. Unnecessary application permissions, such as a calculator application requiring SEND_SMS permission, can be a red flag indicating malware.
- Read user reviews of applications before downloading and look for a strong web presence. Applications without a developer website, Facebook page, twitter account, or customer support number should be considered suspicious.♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com, Twitter:@James_AfA