This is the second part of a two-part blog based on my paper for AVAR 2011 that discusses the Android Threat Landscape and the ways of mitigating the risk.
Continuing from the first part of my paper…
Threat Store
Similar to the change in the malware trend for PCs, Android also has a change in the trend for its threats. During the early stages, most of the Android threats were found to be of less severity. Compromised devices were used to send out SMSs or make calls to premium rate numbers without the user’s knowledge, e.g. Trojan-SMS.AndroidOS.FakePlayer.a [Kaspersky].
Towards the end of the year 2010, Android malware took a different shape with botnet behaviour that works with a Command & Control method, awaiting remote commands from the malware author. As per the commands received, most malicious applications either download various other applications or send out confidential data, unique device identifiers, and the SIM card number to the malware author. Trojan.AndroidOS.Genimi is one such malware, which takes pride in behaving like a bot.
Some malware avail of certain vulnerabilities to gain root access to the device and perform their desired actions. The infamous TrojanSpy:AndroidOS/DroidDream.A (aka Backdoor.AndroidOS.Rooter.a [Kaspersky]), is of the kind that acquires root access to the victim’s device. Droiddream is often found to be bundled with legitimate applications, like games, and gets installed with the original application. 
The first time round it requires user intervention to start itself. Once the infected application is started, to gain root access, it uses the PoC exploit called Exploid. If this action fails, it tries another PoC exploit, RageAgainsttheCage. Once root access has been secured, Droiddream checks if the DownloadsManager package is installed on the device, and if not installed, it installs the application that it carries within itself in the system/apps directory. This time the user will not be requested for the permissions needed to install the application. The malicious DownloadsManager application installs silently in the background and starts the specified service. This application can now act as per the commands from the C&C server.
The recent Android malware trend has advanced further. Android threats can now even make new outgoing calls, record the conversation on calls without the user’s knowledge, monitor and log the activities of the user in the device, and pass on all of this information to the malware controller. Trojan.AndroidOS.NickiSpy, mentioned earlier, functions as described.
Let us have a quick look at the behavior of some of the known Android malware, which were found since August 2010. The threats are listed in chronological order:
| Threat Name | Behavior |
| Trojan-SMS.AndroidOS.FakePlayer.a, Trojan-SMS.AndroidOS.FakePlayer.b, Trojan-SMS.AndroidOS.FakePlayer.c | Manual install, distributed via SMS,sends out SMS to premium rate numbers, third party market |
| AndroidOS_Droisnake.A | Manual install, sends out GPS information to a server, downloads an application and gains user data, Android Marketplace |
| Trojan- Spy.AndroidOS.Geinimi.a | Both manual and automatic install, botnet, works on C&C method, third party Chinese market |
| Trojan-Spy.AndroidOS.Adrd.a | (Less severe version of Trojan- Spy.AndroidOS.Geinimi.a), manual install only, botnet, works on C&C method, third party Chinese market |
| Trojan-Spy.AndroidOS.Adrd.c | Manual install, works on C&C method, Third party Android Marketplace |
| Backdoor.AndroidOS.Rooter.a, Well-Known, DroidDream Malware | Manual install, first to exploit Exploid and RageAgainsttheCage code, gains root access, Android Marketplace |
| Backdoor.AndroidOS.SerBG.c | Manual install, Android Marketplace, gains root access, bundled with a security tool released as a Droiddream Cure |
| Android.Zeahache | Manual install, gains root access, first found in a Chinese application downloaded from a Chinese application market |
| Trojan.AndroidOS.Pirater.a | Manual install, both Android and third party markets, sends out SMS or makes calls to premium rate numbers, gathers information like phone status, network status, accesses address book, also capable of malfunctions like switching the phone on or off |
| Backdoor.AndroidOS.Adsms.a | Distributed via SMS, targets Chinese users, installs a configuration file that sends out SMS to premium rate numbers, Android Marketplace |
| Trojan-SMS.AndroidOS.Raden.b | Manual install, Android Marketplace, targets Chinese users to send out SMS to premium rate numbers |
| Trojan-Downloader.AndroidOS.DorDrae.b, well-Known as DroidDreamLight | New version of the same DroidDreamLight, manual install, works on C&C method, Android Marketplace |
| Backdoor.AndroidOS.KungFu.b | Both manual and automatic install, gains root access, works on C&C method |
| Android.Basebridge | Manual install, third party market, gains root privileges, sends out SMS to premium rate numbers, capable of malicious functions like making calls, deleting all inbox messages, etc |
| Trojan.AndroidOS.Plangton.b | Both manual and automatic install, Android Marketplace, sends out the device information to a remote server, downloads a file from the remote server that monitors all activities and sends back the information to the remote server, simply works in C&C fashion |
| Backdoor.AndroidOS.Xsider.b | Both manual and automatic install, third party market, targets Chinese users and those who use custom ROMs |
| Android.Golddream | Both manual and automatic install, third party and Android Marketplace, works on C&C method |
| Trojan-Spy.AndroidOS.Smser.a, Trojan-SMS.AndroidOS.Hispo.a, | Manual install, third party market, sends out all the SMS from the compromised device to a remote location |
| Android/Sndapps.A | Manual install, Android Marketplace, works on C&C , sends out personal information like email addresses and numbers in the contact list to a remote server |
| Android.NickiSpy | Manual install, third party market, first to spy on user conversations, record and send it to a remote server, works on C&C method |
| Trojan-Spy.AndroidOS.Cosha.a (well-known as Android.LuvTrap) | Manual install, Chinese third party market, downloads premium rate numbers from a website and sends out SMS to those numbers by masking the confirmation alerts from users |
| Android.Premiumtext | Manual install, third party market, sends out premium rate SMS |
| Android.Nickibot | Manual install, third party market, newer version of Nickispy, but controlled by SMS messages instead of C&C messages, |
| Android.Dogowar | Manual install, Third party market, sends out SMS to all of the contact numbers |
Table 1: Android Malware from August 2010 to September 2011
The list in Table 1 is extensive and does not include the malware seen after the time mentioned. Some of the malware are found to be bundled with Chinese applications when they are spotted for the first time, and most Android malware are believed to originate in Russia or China.
With the advancement in technology, smartphones play a vital role in managing business communications. There is a huge risk that sensitive data stored on smartphones may get stolen. Mobile security reports reveal the immense growth of Android malware since 2010, as exemplified in Table 1. All Android users should be aware of the risks of infection, and the possible ways of safeguarding themselves.
DIY SOS
Most of the time users, when downloading applications either for their PC or mobile device, during the installation process, are impatient when reading through the licence agreement or any alerts that popup. They tend to simply say ‘OK’ for the installation. Hackers find gaining the user’s own permission as their easiest way of compromising a mobile device. This process is called “social engineering”, a classic exploitation of “PEBCAK”, i.e. “Problem Exists Between Chair And Keyboard” when applied to PCs. In the case of mobile devices, a more appropriate acronym could be …”SUPER”, i.e. Smart User Prevents Error Root.
Social networking plays a major role in the modern world and is a widely used global communication medium. Hackers take advantage of the users of smartphones that facilitate social networking, often via applications that trick the user into providing the required permissions to access the contacts list or email address book. Once these permissions are granted, it may be possible to send out unwanted SMS or spam mails from the compromised device. Users have the responsibility to pay close attention to the permission levels they grant for the applications they install, deciding whether each application is in need of the requested Capabilities to perform its activities. Of course, this is no easy task given that many users may be technically unable to gauge the specific permissions required per application. More information and education in this respect might be helpful.
Additionally, users need to be aware of the usage of the applications which they download and from where they are downloaded. Users are strongly recommended to download applications from the established and dedicated online Android application market(now play store), rather than downloading from a new or unknown source. This will reduce the risk of becoming a malware victim to an extent, since the well-known markets are scrutinized on a regular basis and infected or malware applications will be cleared off. It also helps that applications from the Android Marketplace(now play store) come with review comments and a reputation level for the applications. This may guide the user in validating applications prior to install.
Users, as always, should have updated security software installed to protect their devices from being hijacked. Security software will block known malware, whilst also monitoring the runtime behavior of applications such that any malpractice identified would be blocked. Security software could also block access to unwanted or blacklisted websites, in addition to blocking suspicious network activity without explicit user consent.
Some of the Android Security software products have Parental Control included in their features list that helps users to either blacklist or whitelist a contact number, which holds good even for SMS services. User would then be able to add contact information to a whitelist database, restricting the numbers to which SMS can be sent.
As Android malware aim at obtaining root access, few security products go a step further and identify if the device is ‘rooted’ and warn the user about the same. This feature also explicitly alerts the user if any application requests root access.
In the event that a phone is lost or stolen, in which case all the information stored in the phone is now exposed to the outside world, some security software provides the users with the ability to remotely clear off the data from the stolen device, and block the device itself, with an online data backup to recover the lost data.
With Freedom Comes Great Responsibility
Google’s target to spread Android in Asia is being achieved with great success, as exemplied by the Android sales graph which shows a persistent upward trend. The cost effective Android phones have already conquered much of the smartphone-user and gadget-lover market. However, the popularity of Android makes it a viable and tempting target for hackers, and therefore the increasing spread of Android-specific malware has to be expected.
Current Android malware functionality ranges from sending SMS (to premium rate numbers) to stealing confidential data, and being controlled via remote Command & Control servers. Hackers use online Android application markets as a pathway onto the victim’s device. It’s a must that users make themselves well aware of the online stores, which must be of good repute, from where they download applications.
The Android OS strives to fulfil the user’s demand for security features within its current security model. The concept of permissions via application ‘Capabilities’, to an extent, holds good to protect the device from abuse. However, the hackers use clever social engineering techniques to entice users into providing the requisite permissions to their malware programs. Users should be wary of attempts to trick them into granting permissions which are inconsistent with the advertised functionality of the application in question.
It goes without saying that each device should have security software installed to detect and block any untoward activity. However, as the proverb goes, “Prevention is better than Cure”. User education and vigilance would go a long way in mitigating the spread of Android malware, and users have a role to play in this respect. 
Images courtesy of:
glogster.com
phandroid.com
www.apimarketing.com
popolsku.nl
Preventionistheanswer.org
V.Dhanalakshmi
Malware Analyst, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
https://labs.k7computing.com/feed/
