As Smart Phones are becoming the growing Future of the handheld devices, so does the threats that are associated with them. This is second article of a series where we some what try to cover a systematic characterization of existing Android malware, ranging from their installation, activation, to the carried malicious payloads.In current article you can read details about Malware activation tactics.

Malware Activation Techniques

In the previous post we have look at malware installation techniques.Now , we examine the system-wide Android events of interest to existing Android malware. By registering for the related system-wide events, an Android malware can rely on the built-in support of automated event notification and callbacks on Android to flexibly trigger or launch its payloads.

malware Activation

Among all available system events, BOOT_COMPLETED is the most interested one to existing Android malware. This is not surprising as this particular event will be triggered when the system finishes its booting process – a perfect timing for malware to kick off its background services.

In our observation more than 80% malware families listen to this event. For example, Geinimi listens to this event to bootstrap the background service “com.geinimi.AdService”.

The SMS_RECEIVED comes second in which malware are interested in it. This is also reasonable as many malware will be keen in intercepting or responding incoming SMS messages. As an example, zSone listens to this SMS_RECEIVED event and intercepts or removes all SMS message from particular originating numbers such as “10086” and “10010.”

we have also found that certain malware registers for a variety of events. For example, AnserverBot registers for callbacks from 10 different events while BaseBridge is interested in 9 different events. The registration of a large number of events is expected to allow the malware to reliably or quickly launch the carried payloads.

In addition, we also observe some malware samples directly hijack the entry activity of the host apps, which will be triggered when the user clicks the app icon on the home screen or an intent with action ACTION_MAIN is received by the app. The hijacking of the entry activity allows the malware to immediately bootstrap its service before starting the host app’s primary activity. For example, DroidDream  replaces the original entry activity with its own so that it can gain control even before the original activity com.codingcaveman.SoloTrial.SplashActivity is launched. Some malware may also hijack certain UI interaction events (e.g., button clicking). An example is the zSone malware that invokes its own SMS sending code inside the onClick() function of the host app.