As Smart Phones are becoming the growing Future of the handheld devices, so does the threats that are associated with them. This is third article of a series where we some what try to cover a systematic characterization of existing Android malware, ranging from their installation, activation, to the carried malicious payloads.In current article you can read details about Malware payloads that they carry. Also a section is added to address the permissions that are used by the malware application on Android.

Malicious Payloads Categories

As existing Android malware can be largely characterized by their carried payloads, here we partition the payload functionalities into four different categories: privilege escalation, remote control, financial charges, and personal information stealing.

Malware classification

1.Privilege Escalation

The Android platform is a complicated system that consists of not only the Linux kernel, but also the entire Android framework with more than 90 open-source libraries included, such as WebKit, SQLite, and OpenSSL. The complexity naturally introduces software vulnerabilities that can be potentially exploited for privilege escalation. Overall, there are a small number of platform-level vulnerabilities that are being actively exploited in the wild. The top three exploits are exploid, RATC (or RageAgainstTheCage), and Zimperlich. Here we point out that if the RATC exploit is launched within a running app, it is effectively exploiting the bug in the zygote daemon, not the intended “adbd daemon”, thus behaving as the Zimperlich exploit. Considering the similar nature of these two vulnerabilities, we use RATC to
represent both of them.

From literature analysis, one alarming result is that among major malware families they are embedded with at least one root exploit. Also, it is not uncommon for a malware to have two or more root exploits to maximize its chances for successful exploitation on multiple platform versions.

A further investigation on how these exploits are actually used shows that many earlier malware simply copy verbatim the publicly available root exploits without any modification, even without removing the original debug output strings or changing the file names of associated root exploits. For example, DroidDream contains the exploid file name exactly the same as the publicly available one. However, things have been changed recently. For example, DroidKungFu does not directly embed these root exploits. Instead it first encrypts these root exploits and then stores them as a resource or asset file. At run time, it dynamically uncovers these encrypted root exploits and then executes them properly, which makes their detection very challenging. In fact, when the first version of DroidKungFu was discovered, it has been reported that no single existing mobile anti-virus software at that time was able to detect it, which demonstrated the “effectiveness” of this approach. Moreover, other recent malware such as DroidCoupon and GingerMaster apparently obfuscate the file names of the associated root exploits (e.g., by pretending as picture files with png suffix). We believe these changes reflect the evolving nature of malware development and the ongoing arms race for malware defense.

2.Remote Control

During literature review and analysis in order to examine the remote control functionality among the malware payloads,we are surprised to note that 93% turn the infected phones into bots for remote control. Specifically, those who employ the HTTP-based web traffic to receive bot commands from their command and control (C&C) servers.
We also observe that some malware families attempt to be stealthy by encrypting the URLs of remote C&C servers as well as their communication with C&C servers.
For example, Pjapps uses its own encoding scheme to encrypt the C&C server addresses.

Pjapps Malware encodes its C&C server “” into “2maodb3ialke8mdeme3gkos9g1icaofm“.

DroidKungFu3 employs the standard AES encryption scheme and uses the key Fuck_sExy-aLl!Pw to hide its C&C servers. Geinimi similarly applies DES encryption scheme (with the key “0x0102030405060708”) to encrypt its communication to the remote C&C server.

During the literature survey and review , it was also found that most C&C servers are registered in domains controlled by attackers themselves. However, there are also cases where the C&C servers are hosted in public clouds. For instance, the Plankton spyware dynamically fetches and runs its payload from a server hosted on the Amazon cloud. Most recently, attackers are even turning to public blog servers as their C&C servers. AnserverBot is one example that uses two popular public blog services, i.e., Sina and Baidu, as its C&C servers to retrieve the latest payloads and new C&C URLs.

3. Motivation behind Malware “The Financial Charge”

Beside the above two mostly used schemes ,privilege escalation and remote control, its worth to look into the motivations behind malware infection. In particular, it is worth reviewing that whether malware will intentionally cause financial charges to infected users.One profitable way for attackers is to surreptitiously subscribe to premium-rate services that are infact attacker controlled, such as a permission-guarded function sendTextMessage that allows for sending an SMS message in the background without user’s awareness. Such type of attacks targeting users in Russia, United States, and China are mostly reported.

The very first Android malware FakePlayer sends SMS message “798657” to multiple premium-rate numbers in Russia. GGTracker automatically signs up the infected user to premium services in US without user’s knowledge. zSone sends SMS messages to premium-rate numbers in China without user’s consent.

Some malware choose not to hard-code premium-rate numbers. Instead, they leverage the flexible remote control to push down the numbers at runtime.  Apparently, these malware families are more stealthy than earlier ones because the destination number will not be known by simply analyzing the infected apps. In review analysis, it is observed that by automatically subscribing to premium-rate services, these malware families need to reply to certain SMS messages. This may due to the second-confirmation policy required in some countries such as China. Specifically, to sign up a premium-rate service, the user must reply to a confirming SMS message sent from the service provider to finalize or activate the service subscription. To avoid users from being notified, they will take care of replying to these confirming messages by themselves. As an example, RogueSPPush will automatically reply “Y” to such incoming messages in the background; GGTracker will reply “YES” to one premium number, 99735, to active the subscribed service. Similarly, to prevent users from knowing subsequent billing-related messages, they choose to filter these SMS messages as well. This behavior is present in a number of malware, including zSone, RogueSPPush and GGTracker.

Besides the premium-rate numbers, some malware also leverage the same functionality by sending SMS messages to other phone numbers. Though less serious than previous ones, they still result in certain financial charges especially when the user does not have an unlimited messaging plan. For example, DogWars sends SMS messages to all the contacts in the phone without user’s awareness. Other malware may also make background phone calls. With the same remote control capability, the destination number can be provided from a remote C&C server, as shown in Geinimi.

4. Information Collection

In addition to the above payloads, malware are actively harvesting various information on the infected phones, including SMS messages, phone numbers as well as user accounts.For example, SndApps collects users’ email addresses and sends them to a remote server. FakeNetflix gathers users’ Netflix accounts and passwords by providing a fake but seeming identical Netflix UI.

We consider the collection of users’ SMS messages is a highly suspicious behavior. The user credential may be included in SMS messages. For example, both Zitmo (the Zeus version on Android) and Spitmo (the SpyEpy version on Android) attempt to intercept SMS verification messages and then upload them to a remote server. If successful, the attacker may use them to generate fraudulent transactions on behalf of infected users.

D. Permission Used by Malwares

For Android apps without root exploits, their capabilities are strictly constrained by the permissions users grant to them. Therefore, it will be interesting to compare top permissions requested by these malicious apps ,with top permissions requested by benign ones. Based on the comparisons,


permissions are widely requested in both malicious and benign apps.

The first two are typically needed to allow for the embedded ad libraries to function properly. But malicious apps clearly tend to request more frequently on the SMS-related permissions, such as READ_SMS, WRITE_SMS, RECEIVE_SMS, and SEND_SMS.

RECEIVE_BOOT_COMPLETED permission is five times of that in benign apps.  This could be due to the fact that malware is more likely to run background services without user’s intervention. There are quite a number of malwares request CHANGE_WIFI_STATE permission, which is an order of magnitude higher than that in benign apps . That is mainly because the Exploid root exploit requires certain hot plug events such as changing the WIFI state, which is related to this  permission.

Finally, It is observed that malicious apps tend to request more permissions than benign ones. The average number of permissions requested by malicious apps is almost 11, while the average number requested by benign apps is 4.
Among the top 20 permissions, 9 of them are requested by malicious apps on average while 3 of them on average are
requested by benign apps.