MALDROID

October 6, 2011, by | Start Discussion

You bought that new Android phone because you thought open source was the best for you or because everyone is buying it. You thought that since it‘s a mobile OS there might not be anything in there which might cause you harm. You thought you were SAFE– Right? Wrong. You are about as right as the kid who believes in Santa Claus. According to recent research conducted by McAfee, Android is the most targeted mobile OS. The number of malware for Android has increased by 76%. But iOS has remained untouched.

So why the partiality of malware writers towards Android? Is it because of the same reason that malware writers are more partial towards Windows than the Mac? In the case of Windows, it‘s far more embedded in the consumer space than Mac so it‘s a much more lucrative market for the bad guys. But that is not the case with Android and iOS. According to Gartner research, Android has 36 % of the market share and iOS has 16.8 %. So there is not much difference there. Both operating systems cause headlines. So it makes sense to go after both of them. The real reason why Android is hit more is because of their market ecosystem. Android has no vetting system in place which decides which app will go in their market place. It has given a free reign to the developers to upload any app they want. The onus is on the consumers to make the smart choice before downloading any app. On the other hand Apple scrutinizes each app before it has a place on their market. Therefore, there is little to no chance of any sneaky app coming in…

We will take a look at two of the most prolific malware discovered in Android. We will start with Genimi. Genimi is a Trojan which comes as a part of another legitimate application. The repackaged package inside the application is installed without the knowledge of the user. The app can be found in fileshare websites and unofficial market places typically in China. After installation the Trojan attempts to connect to a CnC server. It connects to the following server via HTTP.

Once the connection is established the Trojan may attempt to do any or all of the following.

  • Once the connection is established the Trojan may attempt to do any or all of the following. Collect and send information pertaining to the device including the installed applications and its geographic location.
  • Upload contact information to a remote server.
  • Upload SMS data to a remote server.
  • Call or send an SMS to a specified number.
  • Install or uninstall software.
  • Show a map or a Web page.
  • Show a pop-up message.
  • Change the device wall paper.
  • Create a shortcut.
  • Change list of C&C servers.

Droid Kung Fu is another malware which is capable of infecting devices which have Android versions 2.2 or less. The malware once installed will be able to find IMEI number, phone model and OS version. It will then attempt to get root. Once root is obtained it will replace the standard Google search with its own search. This serves as a backdoor which converts the device into a bot, which is used to download more malicious apps. The malware has been released in many apps. Few package names are given below.

com.crazyapps.shake.to.fake.call com.crazyapps.angry.birds.rio.unlocker com.crazyapps.angry.birds.cheater.trainer.helper com.crazyapps.angry.birds.multi.user com.crazyapps.favorite.games.backup com.crazyapps.com.call.ender.bad.reception.end.annoying.call.fake com.crazyapps.time.limit.kids.users.bring.me.back.my.droid com.crazyapps.chit.chat.robo.chat.bathroom.time.chat com.planktond.guesslogo com.choopcheec.android.snake


 

Now the above discussed malware affected Android 2.2 or less. But here comes the boomer. GingerMaster. Gingermaster gets roots privileges by exploiting the most recent root exploit in Android 2.3. As of now it has evaded all the leading mobile anti virus. As usual the malware is packed into a legitimate app. Once installed, it will launch a secret service in the background and collects the IMEI number, OS version and model of the device. After getting root GingerMaster will connect to a CnC service and as usual will get more bad things on your Android.
Below is a sample code from Gingermaster.

The above discussed nasties are not the only one out there. There are a lot more. But how can you as an Android user be safe from them. Below are a few tips which can help you safeguard your device.

  1. Make sure you download only from the official Android Market.
  2. Be sure to check the ratings, reviews and developer information.
  3. Always check what rights your app has. You wouldn‘t want a live wallpaper having rights to read your SMS.
  4. Go to Settings-Applications and uncheck Unknown sources.

As always be alert and the little green dude we all love will be happy.
 


Gautam Pai works as a Software Engineer at HCL Technologies. He likes to keep himself busy in the world of computer and network security.

Leave a Reply