Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

More Android Malware Pulled From Google Play

Disguised as Mario Bros. and Grand Theft Auto games, the malware downloaded itself in stages to evade Google's automated security checks.

Google has pulled from Google Play two malicious Android apps that were disguised as legitimate versions of popular Mario Brothers and Grand Theft Auto titles.

According to Symantec, which recently spotted the apps and alerted Google, they were first added to Google Play on June 24 and had since been downloaded between 50,000 and 100,000 times. One was packaged as "Super Mario Bros.," while the other was titled "GTA 3 Moscow City," which also offers a clue to the geographic location of targeted Android users.

In reality, both apps were a Trojan app known as Dropdialer. Once installed, Dropdialer downloads an additional package, "Activator.apk," via file-sharing website Dropbox. The secondary payload allows the malware to send messages to premium-rate SMS numbers in Eastern Europe, in a type of attack often referred to as toll fraud. The malware then uninstalls the secondary payload, helping to disguise what it's been up to.

[ A security researcher has discovered an Android botnet that hijacks Android devices and turns them into spam servers. Read about it here: Android Botnet Seen Spewing Spam. ]

"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," said Symantec security researcher Irfan Asrar in a blog post. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."

By breaking up the malicious payload into pieces, the malware's developer was able to sneak it past the automated Google Bouncer malware-checking service that reviews apps before they can be added to Google Play. "The idea is simple: instead of having one payload that carries all of the malicious code for any given attack, break the threat into separate modules that can be delivered independently," said Asrar, in an overview of the technique he published last year.

Breaking malicious applications into pieces offers numerous additional benefits to attackers. "First, it obviates the telltale sign of a huge, overzealous permissions list accompanying the installation of the threat, which may alarm the user as to the intention of the malicious app," he said. "Secondly, smaller pieces are easier to hide and inject into other apps. Furthermore, dispersing the attack across separate apps complicates the integrated revocation processes from the service provider, marketplace, etc."

One mitigating factor with most Android malware is that users must first approve the app's installation, as well as its permission requests. Hence attackers, via a social-engineering attack, often disguise their malware as well-known software, and especially as "free" versions of these applications.

In the case of the Dropdialer apps recently discovered on Google Play, users had multiple opportunities to prevent the malicious software from executing. "After installation, the first application shows a notification in Russian informing the user that the application must be activated. The application mentions that by activating the application the user agrees to a set of rules. If a user chooses to read these rules--which are also in Russian--they provide very vague information regarding how much a user will be charged," read an analysis of the malware published by mobile security firm Lookout.

After the user agrees, the app downloads its secondary payload, which again triggers an Android warning. "A normal Android system installation message appears, asking if the user would like to install the application, which includes permissions to send SMS," said Lookout.

Occasionally, however, attackers do find ways to install malicious apps automatically. For example, the malicious Android application jSMSHider--targeting Chinese users--was designed to infect smartphones using custom ROMs, which are custom-built Android distributions. In particular, attackers targeted a vulnerability related to the Android Open Source Project (AOSP), which uses "publicly available private keys ... to sign the custom ROM builds," according to an analysis of the malware published by Lookout.

These keys are used to authorize updates for the custom ROM. In a move reminiscent of the Flame malware, which used a spoofed Windows certificate to automatically install itself on targeted PCs via the Windows Update mechanism, jSMSHider could be delivered to custom ROM builds disguised as a system update, allowing the software--which eavesdrops on SMS communications--to automatically install itself. Oftentimes, the malware could then install secondary payloads, adding further attack functionality.

Reached for comment, Google declined to offer specifics on the Dropdialer-in-disguise app takedowns. "We remove applications that violate our policies, such as apps that are illegal or that promote hate speech," said a Google spokesman via email. "We don’t comment on individual applications--however, you can check out our policies for more information."

In addition to enforcing those policies, Google last year--in the wake of security firms noting an alarming rise in Android malware--unveiled Bouncer. Bouncer, however, isn't foolproof. For starters, it's automated. In comparison, Apple employs teams of application reviewers, who hand-screen all iOS apps before they're allowed into the Apple App Store. To date, only one malicious app, "Find and Call,"--as well as one proof-of-concept attack authored by security researcher Charlie Miller--appears to have snuck by those reviewers.

By comparison, Google regularly needs to excise malicious apps--often aimed at perpetrating premium SMS toll fraud--from Google Play, but only after they've been spotted, downloaded, and apparently infected Android devices, thus generating fraudulent profits for attackers.

Black Hat USA Las Vegas, the premiere conference on information security, features four days of deep technical training followed by two days of presentations from speakers discussing their latest research around a broad range of security topics. At Caesars Palace in Las Vegas, July 21-26. Register today.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
7/12/2012 | 2:20:49 AM
re: More Android Malware Pulled From Google Play
As long as there's money to be made in dupe-ing the end user of a new technology that they may have limited understanding about, there will always be a criminal element waiting to take advantage of them - and no matter how many security interlocks you put between the user and the criminal, someone will always find a way around them.

So, it looks like Google is happy with the idea of automating their process and just chalking up those who get damaged by the applications that get by their process as collateral damage. Apple's examining every application that comes in, by hand, and still doesn't have a perfect record.

With regards to the new attack vector discussed here, with applications being downloaded in pieces from various sites, etc., wouldn't it be possible (in a testing lab) to look at the data coming into and going out of the Android session to determine what the application is actually doing? If it was in the PC world, a simple network sniffer would be able to tell you all you'd need to know in very short order.

Andrew Hornback
InformationWeek Contributor
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.