As Smart Phones are becoming the growing Future of the handheld devices, so does the threats that are associated with them. This article some what tries to cover a systematic characterization of existing Android malware, ranging from their installation, activation, to the carried malicious payloads.In current article you can read details about Android Malware installation tactics.
A. Malware Installation
We can generally categorize existing ways Android malware use to install onto user phones and generalize them into three main social engineering based techniques, i.e., repackaging, update attack, and drive-by download. These techniques are not mutually exclusive as different variants of the same type may use different techniques to trick the users for downloading and installing the malware on to their device.
Repackaging is one of the most common technique malware uses to piggyback malicious payloads into famous applications. In short, malware authors may locate and download popular apps, disassemble them, enclose malicious payloads, and then re-assemble and submit the new apps to official and/or alternative Android Markets. Users could be vulnerable when they download and install these infected apps.
To quantify the use of repackaging technique among malwares, we take the following approach: if a sample shares the same package name with an app in the official Android Market, we then download the official app (if free) and manually compare the difference, which typically contains the malicious payload added by malware. If the original app is not available, than we choose to disassemble the malware sample and manually determine whether the malicious payload is a natural part of the main functionality of the host app. One malware family, i.e., GoldDream, utilizes both for its infection. We find that malware makers have chosen a variety of apps for repackaging, including paid apps, popular game apps, powerful utility apps (including security updates), as well as porn-related apps. For instance, one AnserverBot malware repackaged a paid app com.camelgames.mxmotor available on the official Android Market. Another BgServ malware sample repackaged the security tool released by Google to remove DroidDream from infected phones.
Also, possibly due to the attempt to hide piggybacked malicious payloads, malware makers tend to use the class-file names which look legitimate and benign. For example, AnserverBot malware uses a package name com.sec.android.provider.drm for its payload, which looks like a module that provides legitimate DRM functionality. The first version of DroidKungFu chooses to use com.google.ssearch to disguise as the Google search module and its follow-up versions use com.google.update to pretend to be an official Google update. It is interesting to note that one malware family – jSMSHider – uses a publicly available private key (serial number: b3998086d056cffa) that is distributed in the Android Open Source Project (AOSP). The current Android security model allows the apps signed with the same platform key of the phone firmware to request the permissions which are otherwise not available to normal third-party apps.
One such permission includes the installation of additional apps without user intervention. Unfortunately, a few popular custom firmware images were signed by the default key distributed in Android Open Source Project (AOSP). As a result, the jSMSHiderinfected apps may obtain privileged permissions to perform dangerous operations without user’s awareness.
2) Update Attack
The first technique typically piggybacks the entire malicious payloads into host apps, which could potentially expose their presence. The second technique makes it difficult for detection. Specifically, it may still repackage popular apps. But instead of enclosing the payload as a whole, it only includes an update component that will fetch or download the malicious payloads at runtime. As a result, a static scanning of host apps may fail to capture the malicious payloads. We can find in literature that the malwarefamilies,i.e.,BaseBridge,DroidKungFuUpdate,AnserverBot, and Plankton, that adopt this attack.
Lets look at some example of the update attack in the already detected and analyzed malwares found in the literature.
The BaseBridge malware has a number of variants. While some embed root exploits that allow for silent installation of additional apps without user intervention, we here focus on other variants that use the update attacks without root exploits. Specifically, when a BaseBridge-infected app runs,it will check whether an update dialogue needs to be displayed. If yes, by essentially saying that a new version is available, the user will be offered to install the updated version (The new version is actually stored in the host app as a resource or asset file.) If the user accepts, an “updated” version with the malicious payload will then be installed. Because the malicious payload is in the “updated” app, not the original app itself, it is more stealthy than the first technique that directly includes the entire malicious payload in the first place.
The DroidKungFuUpdate malware is similar to BaseBridge. But instead of carrying or enclosing the “updated” version inside the original app, it chooses to remotely download a new version from network. Moreover, it takes a stealthy route by notifying the users through a third-party library that provides the (legitimate) notification functionality. (Note the functionality is similar to the automatic notification from the Google’s Cloud to
Device Messaging framework.) The captured network traffic can lead to a reality that, request initiated from the original host app to update itself. Once downloaded, the “updated” version turns out to be the DroidKungFu3 malware. The DroidKungFuUpdate malware was available on both official and alternative Android Markets.The previous two update attacks require user approval to download and install new versions.
The next two malware,i.e., AnserverBot and Plankton, advance the update attack by stealthily upgrading certain components in the host apps not the entire app. As a result, it does not require user
In particular, Plankton directly fetches and runs a jar file maintained in a remote server while AnserverBot retrieves a public (encrypted) blog entry, which contains the actual payloads for update. Apparently, the stealthy nature of these update attacks poses significant challenges for their detection.
3) Drive-by Download
The third technique applies the traditional drive-by download attacks to mobile space. Though they are not directly exploiting mobile browser vulnerabilities, they are essentially luring users to download “interesting” or “feature-rich” apps. In literature we came accross 04 such malware families i.e., GGTracker,Jifake, Spitmo and ZitMo .The last two malwares are designed to steal user’s sensitive banking information.
The GGTracker malware starts from its in-app advertisements. In particular, when a user clicks a special advertisement link, it will redirect the user to a malicious website, which claims to be analyzing the battery usage of user’s phone and will redirect the user to one fake Android Market to download an app claimed to improve battery efficiency.
Unfortunately, the downloaded app is not one that focuses on improving the efficiency of battery, but a malware that
will subscribe to a premium-rate service without user’s knowledge.
Similarly, the Jifake malware is downloaded when users are redirected to the malicious website. However, it is not using in-app advertisements to attract and redirect users. Instead, it uses a malicious QR code, which when scanned will redirect the user to another URL containing the Jifake malware. This malware itself is the repackaged mobile ICQ client, which sends several SMS messages to a premium-rate number. While QR code-based malware propagation has been warned earlier, this is the first time that this attack actually occurred in the wild.
The last two Spitmo and ZitMo are ported versions of nefarious PC malware, i.e., SpyEye and Zeus. They work in a similar manner: when a user is doing online banking with a comprised PC, the user will be redirected to download a particular smartphone app, which is claimed to better protect online banking activities. However, the downloaded app is actually a malware, which can collect and send mTANs or SMS messages to a remote server. These two malware
families rely on the comprised desktop browsers to launch the attack. Though it may seem hard to infect real users, the fact that they can steal sensitive bank information raises serious alerts to users.
We have so far presented three main social engineering-based techniques that have been used in existing Android malware. Next, we talk about the some malware samples that in literature claimed that do not fall in the above three categories.
The first group is considered spyware as claimed by themselves – they intend to be installed to victim’s phones on purpose. That probably explains why attackers have no motivations or the need to lure victim for installation. GPSSMSSpy is an example that listens to SMS-based commands to record and upload the victim’s current location.
The second group includes those fake apps that present themselves as the legitimate apps but covertly perform malicious actions, such as stealing users’ credentials or sending background SMS messages. FakeNetflix is an example that steals a user’s Netflix account and password. Note that it is not a repackaged version of Netflix app but instead disguises to be the Netflix app with the same user interface.
FakePlayer is another example that conceals it self as a movie player but does not provide the advertised functionality at all. All it does is to send SMS messages to premium-rate numbers without user awareness.
The third group contains apps that also intentionally include malicious functionality (e.g., sending unauthorized SMS messages or subscribing to some value-added service automatically). But the difference from the second group is that they are not fake ones. Instead, they can provide the functionality they claimed. But unknown to users, they also include certain malicious functionality. For example, one RogueSPPush sample is an astrology app. But it will automatically subscribe to premium-rate services by intentionally hiding confirmation SMS messages.
The last group includes those apps that rely on the root privilege to function well. However, without asking the user to grant the root privilege to these apps, they leverage known root exploits to escape from the built-in security sandbox. Though these apps may not clearly demonstrate malicious intents, the fact of using root exploits without user permission seems cross the line. Examples in this group include Asroot and DroidDeluxe.