Smartphone security firms have reason to worry. Malware threats to Android phones, which have positioned themselves in the smartphone category, are growing.

COMMERCIAL BREAK
SCROLL TO CONTINUE READING

This time, mobile crooks are targeting certain features that were popular on PCs but are found to be vulnerable on Android phones. For, unlike other smartphones with proprietary app stores, Android phones keep their app stores ‘open’, exposing themselves to attacks by malware writers.

“Android phones are now drawing crooks’ attention. It is easier to launch malware on Android. In most cases, the phones are being compromised by installation of certain applications that exploit the vulnerabilities,” says Shantanu Ghosh, vice-president and managing director, India product operations, Symantec.

The Android phones offer a variety of applications that allow users to operate the phone for requirements that are beyond voice. Typically, smartphone makers offer applications through their app stores. Wresting control of the app stores, however, can allow malware writers to pick vulnerabilities in Android phones.

“Apple’s iPhone too has an app store but the applications that are available on the store are put through a stringent evaluation and it is a closed eco-system. In the case of Android, the eco-system is open and there are multiple app stores. That is precisely why the incidence of malware is high on Android phones,” says Ghosh.Security solutions providers such as Symantec have gained an understanding of malware writers’ modus operandi. Instead of bringing down a handset (like they used to do with PCs), crooks attack by tempting a smartphone user to install an application. Any such installation exposes the phone to an attack at an opportune moment. Malware could range from mobile games to a simple map.

“A map application with malware is more dangerous. It provides the exact location of the phone- user and it is a great threat to the phone-user as a person. Similarly, there are malware in the guise of applications that track other forms of data, including mobile banking and the contacts list,” says another security analyst at a Hyderabad-based security solutions company.

A key difference between the early days of cybercrime targeting PCs and the current drift towards mobile platforms, Ghosh says, is that cybercriminals are not starting from scratch. There are circles within circles.

For instance, ‘SMS Privato Spy’ is marketed as an app that allows buyers (read scammers) to spy on a smartphone user by doing such things as viewing the phone screen live, viewing call logs, performing GPS tracking and activating the phone’s microphone to listen in on conversations.

The only problem - besides such an app being an obvious invasion of privacy - is that SMS Privato Spy doesn’t actually exist!Those behind the scam go to great lengths to convince potential buyers that it does exist. But all that the buyers get for their money is a lighter wallet. “This isn’t the first time we’ve seen scammers scamming other nefarious characters. But it is the first time that a scam is centered on mobile devices,” says Ghosh.

But there are malware that do exist. Even when bad apps are discovered, it does not solve the problem. Such malware is hard to uninstall. Instead of infecting devices at one go, the attackers parcel their ‘workload’ - their malicious code. This is similar to a smuggler who evades detection by bringing in small amounts of the consignment over a period of time, rather than sneaking in the entire lot in one attempt.

Smaller pieces are easier to hide. This strategy obviates a long permission list which can trigger suspicion and give their game away. A new version of malware called Android.Lightdd attempted this. The first payload performs reconnaissance and intelligence-gathering (model, language, country, IMEI, IMSI, OS version), followed by the downloading of additional payloads. Following are some of the Android-specific mobile threats:

AndroidOS.Tapsnake A user who downloads this application assumes that it is the Android version of the popular “Snake” game. However what happens is that the threat switches on the phone’s GPS and relays information about the user’s coordinates to the cybercriminal.

Android.Pjapps Android.Pjapps is an example of a Trojan with backdoor capabilities that targets Android devices. As seen with previous Android threats, it spreads through compromised versions of legitimate applications. One of the applications carrying Android.Pjapps code is Steamy Window. Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed.

During installation, however, it is possible to identify the malicious version by the excessive permissions it requests.

When run, both the legitimate and malicious version of the application mimics a steam effect on your Android device’s screen. It even lets you wipe it off with your finger. The aim of Android.Pjapps is to build a botnet controlled by a number of different Command and Control (C&C) servers. Android Rootcager

Android Packages (.apk) include the file “rageagainstthecage”, which is a tool commonly used to root the phone. In legitimate circumstances, this file can be used by the owner of the phone to acquire administrative rights on his or her phone. In this case, rooting the phone can allow the malware we call

Android.Rootcager to perform more than the usual activities (taking screenshots) not commonly allowed on Android phones.

Android.Rootcager roots the phone without user consent to perform various activities such as taking screenshots, monitoring installed applications and downloading additional packages of code.

Android.AdrdThis is the first Trojan horse for Android whose purpose is search engine manipulation. The threat uses pirated software to infect user devices. The threat author has selected popular apps to “Trojanise” and deliver malicious content on top of clean content. The threat registers itself to run at boot time. Android.Adrd also registers itself when a phone call is made or network connectivity settings are changed. Android.Bgserv

The application “Android Market Security Tool”, which was designed to undo the side effects caused by Android.Rootcager was published online. This application was automatically pushed to devices of users who had downloaded and installed infected applications. Symantec, however, identified suspicious code within a repackaged version of the “Android Market Security Tool”.

This package was found on an unregulated third-party Chinese marketplace. This threat seems to be able to send SMS messages, if instructed by a command-and-control server.