Apart from those apps that register users for unwanted services and those that aggressively push ads, Android users should also worry about apps with backdoor capabilities.
While premium service abusers and adware accounted for the majority of malicious apps in 2012, they are, however, not the only threats to Android. Reports of a botnet running on more than a million of smartphones recently made the headlines, which goes to show that attacks aimed at Android devices are varied and far from over.
Prior to these reports, we have been seeing these malware in the wild since July 2012 and have so far detected 4,282 in the wild. The related samples we analyzed (detected by Trend Micro as ANDROIDOS_KSAPP.A, ANDROIDOS_KSAPP.VTD, ANDROIDOS_KSAPP.CTA, ANDROIDOS_KSAPP.CTB, and AndroidOS_KSAPP.HRX ) were from a certain third-party app store, though we suspect there are others available on several app providers. Typically, these apps are marketed as gaming apps, some of them bearing or are repackaged versions of popular gaming titles.
The first batch of samples we analyzed was packaged using the same app title, purportedly from the same company.
Once any of these malicious apps is installed in a device, it communicates to the following remotes sites to acquire compressed script then parses the said script:
- http://{BLOCKED}y.{BLOCKED}i.com:5222/kspp/do?imei=xxxx&wid=yyyy&type=&step=0
- http://{BLOCKED}n.{BLOCKED}1302.com:5222/kspp/do?imei=xxxx&wid=yyyy&type=&step=0
- http://{BLOCKED}1.com:5101/ks/do?imei=xxxx&wid=yyyy&type=&step=0
This parsing of the downloaded script makes it more complicated than a typical botnet-related malware found on Android since the malware can equip itself with a new script.
The malware also updates the running script, to avoid being detected by antivirus (AV) software, as highlighted above. This updating mechanism enables the malware to download a new variant of itself. This remote script also contains customized commands that a remote attacker can execute onto the infected device. For example, the app can execute a test call function (code seen below):
After parsing the remote script, new Java object e.g. variables and functions can be instantiated using Java reflections, thus dynamic remote code can be executed on local device, which may lead to download other possible malicious files. To prompt users to install these files, the app will show notification bar or pop-up windows. Users who download these file are unfortunately making their devices vulnerable to further malware infection. Not to mention that by installing ANDROIDOS_KSAPP variants, users are allowing their devices to be controlled by a remote user who can execute more sinister commands.
2012 was a year that Android threats went beyond its litmus testing. In our 2012 Annual Security Roundup, we noted that the number of Android malware grew to 350,000 – which was a significant leap from the 1,000 mobile malware we saw in 2011. This increase is reminiscent of the PC threat story but at a faster rate. If this trend continues this year, we predict that the volume of malicious and high-risk Android apps will hit 1 million in 2013.
To protect their devices, users must be extra careful with downloading apps, specially those hosted on third-party app providers. Reviewing the app’s description and developer reputation is also a commendable way to prevent installing programs that can compromise risk to the device’s security. For better protection, users should install antivirus programs like Trend Micro Mobile Security Personal Edition, which detects these malicious apps.
For more information about the Android Threat Landscape, users may refer to our Mobile Security Hub.
Analysis by Mobile threat analyst Veo Zhang
Leave a reply
