By James Green ~ August 2nd, 2013 11:30 PM MST
From humble beginnings Android malware has become an industry unto itself; it is more malicious, more complex, and more common than ever before. This article will attempt to deliver a “brief” history of malware on the Android platform. Discussed herein are the major developments and out breaks of Android malware. There is a lot of information to cover and by no means is this timeline all inclusive. Most of the threats that are discussed in this article are still active in 2013. If you are using Armor for Android or another trusted antivirus application your device is protected.
In 2008 and 2009, back in the infancy of the Android platform, Android represented no more that 4% of the smartphone market. Users were justifiably under-concerned about a malware infection on their Android devices as the threat was simply not that significant. This isn’t to say that the platform was devoid of malware, Android malware did exist. But cyber criminals are motivated by money and at the time the Android platform was not popular enough to represent significant financial gains. Over the course of 2010 things began to change. Android began to gain popularity and by the end of the 2011 smartphones running on the Android operating system represented 46% of the total smartphone market. In 2011 Bloomberg estimated that the smartphone industry was worth 219 billion dollars and by the third quarter of 2012 the number of smart phone users surpassed 1 billion worldwide. In 2013 Android devices represent nearly 75% of the booming smartphone market. Cyber criminals have taken notice of Android and now 90% of mobile malware targets the Android platform.
(Quick note: In March of 2012 Google decided to rename their Android app store from ‘Android Market’ to ‘Google Play’. Simply for the sake of continuity this article refers to it as Google Play throughout. Any reference to an Android market infers an unofficial android market.)
2008 – 2009
Even before the official release of the first Android smartphone in October 2008 there was already Android malware. A group from the University of Electronic Science and Technology in China (UESTC) created malware that was capable of controlling some device activities and stealing information from the device. Reportedly this malware was intended as a proof-of-concept and not intended to perform any malicious attacks against users. Not a lot of information is available about what steps Google took to patch the security vulnerabilities exposed by this malware. No operating system is flawless and in time other vulnerabilities would be discovered and exploited.
MobileSpy – In November 2009 the first spyware for the Android platform was released by Retina-X Studios. MobileSpy is a spyware application full of privacy invading features including the ability to remotely monitor incoming and outgoing text messages, phone calls, emails, web history, photos, videos, GPS location and more. All someone had to do was install the MobileSpy application on the target device and they could monitor the device completely via a web interface. Exploiting the privacy of another individual for profit, not a bad start Android malware but I have a feeling you can do worse… much worse.
Droid09 – In late December that same year unauthorized banking applications were discovered on Google Play. Published by a fake developer named DROID09, these applications are believed to be the first example of an Android phishing scam. The malware was advertised as paid Android banking applications for several different real banks; once the victim entered their log in information the malware would simply open the device browser to the banks online webpage. This malware was not complex and was mainly a social engineering threat.
2008 and 2009 were slow years on the Android malware front. Remember, during these years Android itself was not a particularly popular mobile platform yet. As the platform continued to grow the malware industry would also. From 2008/09 to 2010 the amount of malware on the Android platform more than doubled from about 1,400 unique samples to 3,200 unique samples.
In 2010 Android malware authors found their ‘pièce de résistance’, premium service fraud. Premium service fraud was not a new concept and had been occurring for many years prior to 2010. But, the adoption of the concept and the delivery method were revolutionary in terms of Android malware. Even today, the model below serves as the foundation for some of the most common forms of Android malware.
- The malware author registers a premium rate phone number or short code (short codes are used as phone numbers for premium rate SMS services).
- The malware author then creates an SMS Trojan or Dialer Trojan application and publishes the malware on an Android market to be downloaded by consumers.
- Once the application is installed on a victim’s device it will silently send SMS messages or make phone calls to the malware author’s premium rate number or short code.
FakePlayer – The first SMS Trojan was discovered by Kaspersky labs in August 2010 and was dubbed FakePlayer. This application was advertised as a media playing application, but unbeknownst to the user FakePlayer would also send out SMS messages from the device to premium SMS services. These messages would incur additional charges of approximately $5 each on the victim’s mobile phone bill. The device would then also receive mandatory response messages from each premium SMS service. To avoid arousing suspicion and bombarding the device with premium SMS response messages the FakePlayer Trojan was designed to only commit this fraudulent activity when the application was launched for the first time. In time SMS Trojans would develop other methods to compensate for premium SMS response messages.
Fake Angry Birds – In November 2010 security researcher Jon Oberheide spent some time trolling Google to expose a security vulnerability in Google Play’s installation process. Oberheide essentially created one of the first Trojan Downloader applications and successfully published the Trojan to Google Play. Oberheide created a fake Angry Birds application capable of imitating the install request sent from the Google Play app to Google Play’s servers. By imitating the installation request the application was capable of tricking Google’s servers into installing additional applications on the device without any user interactions. The fake Angry Birds application successfully downloaded and installed inactive malware from Google Play; this malware was fully capable of tracking the device location, committing premium service fraud, or stealing device information. Thankfully Oberheide fights the good fight and this experiment was strictly proof-of-concept to get Google’s attention and improve Google Play’s security. If you’re interested, Oberheide makes for an entertaining read and the full analysis of his experiment is available here.
Geinimi – Discovered by Lookout in late 2010 Geinimi was two things; unquestionably the most sophisticated Android malware discovered at the time and perhaps the first example of a mobile botnet. The author of Geinimi packaged the malicious code to a large number of previously legitimate applications to trick consumers into installing the Trojan on their devices. Once installed, the Trojan harvested a significant amount of data from the infected device and forwarded this stolen data to a remote server. This Trojan had the capability to communicate with a remote server and receive commands. Geinimi was capable of executing over 20 commands including stealing further information from the device, committing premium service fraud, or even downloading additional malware and prompting the user to install the malware. However, researchers were never able to actively observe commands being sent from the server to the Trojan.
Over the course of 2010 we witnessed Android malware move from spyware and remedial phishing scams to premium service fraud, Trojan downloaders and even possible botnet malware. The Android platform was becoming more popular and cyber criminals began to recognize an opportunity for significant financial gains. According to research firm Gartner Android sold 67 million devices worldwide in 2010; in 2011 Android would sell more than 220 million devices. Malware developers would invest even more effort into creating malware for Android devices and the investment paid off. In 2011 Android malware experienced a meteoric rise. Over the course of 2010 a total of 3,200 unique Android malware samples were discovered, 2011 laughs at 2010. The year of 2011 brought 36,000 new Android malware samples, roughly an increase of 1200%.
ADRD (HongTouTou) – In February 2011 a ClickFraud Trojan was discovered called ADRD, also known by the (much more fun to say) name ‘HongTouTou’. Like the Geinimi Trojan the malicious code of ADRD was packaged to a large number of previously legitimate applications and republished by the malware author. The ADRD Trojan would collect information from the device and contact a remote server; the remote server would return an encrypted list of keywords. ADRD would decrypt the keywords and perform a search of each keyword on a well known Chinese search engine called Baidu. ADRD would then click on a specific link that was returned in the Baidu search results to increase the search engine ranking of that specific web site. ADRD was interesting in that it did not commit any inherently malicious acts towards the device or the device user. However it may still have resulted in additional charges to the victim’s mobile phone bill due to data overages.
DroidDream – In March 2011 the discovery of DroidDream hit the Android community so hard that reportedly several Google executives required haircuts when they woke up (we jest). The shock over DroidDream was threefold. First, over 50 DroidDream Trojan applications had made their way onto Google Play. Second, DroidDream applications had been downloaded an estimated 200,000 times combined. And finally, DroidDream was (and still is) capable of rooting infected device and gaining administrator privileges without the user’s knowledge.
When DroidDream is installed on a device it harvests device information and forwards the stolen information to a remote Command and Control (C&C) server. Then the rooting begins. DroidDream is packaged with two well known rooting exploits RageAgainstTheCage and Exploid. These exploits, on their own, are not malicious and can provide users with root privileges for Android OS versions 2.2 and earlier. But when these exploits were packaged in a Trojan application and used to silently root a device without the users knowledge they become incredibly dangerous. If DroidDream is successful at rooting the infected device it gains administrator privileges on the device and is capable of performing any function without the user’s knowledge. Effectively, the malware author for DroidDream had complete control of infected devices through the C&C server.
Google scrambled to repair the damage. The DroidDream applications were removed from Google Play post-haste and Google remotely removed the DroidDream applications from infected devices. Google also pushed an update to victims’ devices that contained an application called “Android Market Security Tool March 2011” that reversed the effects of the exploits (un-rooted the devices if you will). While the blame for the lack of security on Google Play lies squarely on the shoulders of Google they do deserve an honorable mention for the way they handled the situation.
Denofow – Sometimes pranksters put a pretty significant amount of effort in to executing a prank. Such efforts lead to the Denofow Trojan which was discovered in May 2011. Denofow is a trojanaized version of an application that already teeters on the borders of good taste called “The Holy F***ing Bible.” The Trojan application waited for the date of May 21st 2011 to execute its malicious payload. On that date, the Denofow Trojan sent SMS messages containing one of the following messages to each of the device contacts.
- “Cannot talk right now, the world is about to end”
- “Es el fin del mundo”
- “Its the Raptures,praise Jebus”
- “Jebus is way over due for a come back”
- “Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage”
- “Prepare to meet thy maker, make sure to hedge your bet just in case the Muslims were right”
On May 21st 2011 Denofow Trojan also changed the wallpaper of infected devices to an image of a popular American TV show host Steven Colbert. Then on May 22nd 2011 the Denofow Trojan repeated the malicious activity, changing the device wallpaper to a new image and sending a new SMS message to all the device contacts with the following text.
- “Looks like Jebus is a no show, maybe Judaism was on to something”
Fortunately Denofow did not steal any information or root the device and no financial loss was experienced as a direct result of the Trojan. Essentially the Denofow Trojan was a prank albeit in poor taste. Now back to the serious stuff.
DroidKungFu – Lead by Xuxian Jiang, the hard working research team at NC State University discovered DroidKungFu in June 2011. Like DroidDream, this rooting Trojan also contains two well known rooting exploits (RageAgainsttheCage and Exploid). DroidKungFu is capable of rooting Android devices running on Android OS versions 2.2 and earlier, if the device is successfully rooted the Trojan is able to execute any device activity without the device user’s knowledge. DroidKungFu will install an application called ‘legacy’ that disguises itself as the Google Search application, misspelled as “Google SSerach.” This application connects to a remote command and control (C&C) server to receive further instruction. The malware author is able to instruct the Trojan to perform any activity on the device without the user’s knowledge. The DroidKungFu rooting Trojan effectively converted the infected device into a bot controlled by the malware author.
GingerMaster – This one is a little tough to follow because the individuals responsible for naming the components related to this threat had an affinity for the word ‘ginger’. Let me explain:
- In February 2011 Google released GingerBread (with a ‘D’). GingerBread was the newest Android OS version at the time and included new features and patched old security vulnerabilities (like the vulnerabilities exploited by DroidDream and DroidKungFu).
- Never content with the stock Android operating systems, three months later the Android community released GingerBreak (with a ‘K’). GingerBreak was a rooting exploit which rooted device and allowed developers administrator access to their device to develop and test custom ROM’s, themes, etc.
- In August 2011GingerMaster was discovered. This was a Trojan containing the new GingerBreak (with a ‘K’) rooting exploit. This Trojan was capable of rooting devices running on the newest Android OS version, GingerBread (with a ‘D’).
We can thank Xuxian Jiang and his crack team at NC State for not naming this rooting Trojan GingerB-anything! GingerMaster would root the infected device if possible and then harvest device specific information and contact a remote C&C server. The Trojan would download additional malware to the device and, using the administrator privileges gained by rooting the device, install the malware without the devices user’s knowledge. All Android threats capable of installing further malware are extremely dangerous as the additional malware installed can have an endless list of malicious capabilities. To recap, GingerMaster uses GignerBreak to root devices running on GingerBread and install additional malware. It’s straightforward stuff.
With the development of Android rooting Trojans in 2011 android malware stopped playing checkers and started playing chess. Android devices now represented 66% of the entire smartphone market and showed no signs of regressing. By this point malware authors were fully aware of the finical opportunities that Android represented. Mobile malware had started to forget about other mobile platforms and 90% of mobile malware was now written for Android devices. In 2012 Trojans reached an all time high with 70% of Android malware falling into the category. Malware continued it’s onslaught on the Android platform and over the year more than 210,000 new unique malware samples were discovered. Researchers now lived under a seemingly endless pile of malware samples to analyze; the need for antivirus protection for Android users had previously never been greater.
RootSmart – As Google worked to patch old security vulnerabilities malware authors worked to find and exploit new ones. To help keep Android malware out of Google Play a security feature called Google Bouncer was introduced in February 2012. Google Bouncer scans applications for malware signatures (like rooting exploits) before the application is published on Google Play. If the application contains anything malicious it is not published and the developers account may be suspended. The same month that Google Bouncer was introduced Xuxian Jiang and his team at NC State discovered the RootSmart Trojan.
RootSmart outsmarted the Android security model once again and was published to Google Play. Unlike its predecessors this rooting Trojan did not contain any rooting exploits. Instead, once the RootSmart Trojan was installed on a device it would contact a remote C&C server and download the GingerBreak rooting exploit. Using the GingerBreak rooting exploit RootSmart would attempt to root the device to gain administrator privileges. Then the Trojan would contact a remote server to download and install additional malware on the device without the user’s knowledge. An interesting note about RootSmart is that if it was unsuccessful at rooting the device it would still contact the remote C&C server to download additional malware and simply prompt the user to install.
Cawitt – Developers are understandably not big fans of pirated applications that deny them the opportunity to earn money for their efforts. Unfortunately, some very confused rogue developers have decided to partake in pirating applications to teach users a lesson which lead to the discovery of the Cawitt Trojan in June 2012. Cawitt is a trojanized version of a popular third party Twitter application called Tweetbot. The Cawitt Trojan steals a variety of sensitive device information and forwards it to a remote C&C server. The C&C server can then instruct the Trojan to perform two malicious functions. Firstly the Cawitt Trojan can be instructed to send SMS messages to subscribe the device to premium SMS services which will incur additional charges to the victim’s mobile phone bill. Premium service fraud is old hat by this point in Android malware but next the Cawitt Trojans makes sure to publicly shame the individual using the pirated application. Using the victim’s twitter account the Cawitt Trojan will compose the following message and post the message to the victim’s twitter feed.
”I’ve been demoing a pirated copy of @tweetbot and really like it so I’m going to buy a copy!”
Doing a quick search on twitter with the above text we can see that a large number of users were affected by this Trojan. The developers certainly seem to think that their end justifies their means; I would argue it takes questionable morals to make that assumption.
Vidro – Discovered by Kaspersky labs in August 2012, the Vidro Trojan was not the first of its kind nor was it part of a substantial outbreak but it is the poster child for modern SMS Trojans. As the poster child Vidro allows us to discuss some commonalities that are seen across the SMS Trojan family. To begin with Vidro is advertised as an adult video playing application. Adult content related applications simply have a higher ratio of SMS Trojans than other categories. There are certainly plenty of other categories such as games and utilities but adult content seems to be a more prominent target of malware authors.
Vidro, like many other SMS Trojans, requires users to agree to a ‘terms of service’ to use the application. Often the terms for SMS Trojan applications are misleading and bury the information regarding the premium SMS subscription deep in the lengthy terms of service. In the case of Vidro, the terms of service are nonexistent and cannot be viewed online or in the application. Many SMS Trojans, including Vidro, rely on user’s blindly agreeing to ‘terms of service’ as a way to appear more legitimate should the malware authors ever face legal action. Once the user accepts the fake terms the Trojan will send an SMS message(s) to subscribe the device to premium SMS service that incur additional charges to the victim’s mobile phone bill (Vidro actually performs this malicious activity daily).
Finally, SMS Trojans have always had to deal with response messages sent back to subscribed devices from the premium SMS service. Network operators often require premium SMS services to send an SMS message back to the device with information about all charges. Failure to send this response SMS message may result in the network operator withholding funds from the premium service owner, so even malware authors are obliged to comply. Obviously the malware author would prefer that the user of the device not receive an SMS message alerting them to these unauthorized charges. For this reason Vidro, and most other modern SMS Trojans, has a broadcast receiver that will monitor all incoming SMS messages on the device looking for messages sent from the premium SMS service number. If a response SMS message is received from the premium service the broadcast receiver will intercept and delete the message before it can be displayed to the user. The broadcast receiver may also monitor for a specific key word in the SMS messages to intercept and delete. Vidro is representative of most SMS Trojans, it requires users to agree to a fake terms of service, subscribes the device to a premium SMS service to incur additional charges to the victim’s mobile phone bill, and then will actively cover its tracks by deleting any evidence of its activity.
SpamSoldier – In late December 2012 Android malware had reached such popularity that it was being used to distribute malware on other platforms. The SpamSoldier Trojan contacts a remote C&C server and downloads a list of phone numbers and a message body to the infected device. The Trojan then sends an SMS message containing the message body to each phone number downloaded from the C&C server. Researchers at Fortiguard captured a message sent by one of the SpamSoldier Trojan samples, here is the example:
“You’ve just won a $1000 Target gift card but only the 1st 1000 people that enter code 7777 at http://holyoffers.com can claim it!”
Clicking the link only leads users to a scam website where many individuals have been defrauded for a considerable amount of money. The SpamSoldier Trojan well report to the C&C server that the spam SMS message have been sent. Additionally, in an effort to conceal the malicious SMS activity the Trojan deletes the spam messages from the device outbox and intercepts and deletes all incoming SMS messages that are not from a phone number of a device contact.
In the first quarter of 2013, of the 210 million smartphones sold worldwide 156 million of them were running on Android (Gartner). Android sold more devices in a single quarter than any competing platform sold in the entirety of 2012. Not keen to miss out on the fun Android malware is keeping pace. In the first quarter of 2013 there were roughly 157,000 unique android malware samples discovered; that’s 74% of malware samples discovered in all of 2012. The first quarter of any year has been historically the slowest for malware discoveries and it would be conservative to estimate that this pace will continue over the course of 2013. If this pace does continue we should expect to see over 600,000 unique malware samples discovered across the industry in 2013.
Arguably, Android is as dominant in the mobile industry as Microsoft is in the computer industry. As the use of Android has become so wide spread Android malware can now use very specific attacks that result in considerable gains for the author. In 2013 we start to see some examples of these targeted attacks. We also start to see the blurring of lines between Android malware categories. Malware authors are creating Trojans to deliver spyware and creating adware to deliver Trojans. The Android malware landscape is more complex than it ever has been before and using some kind of Anti-malware protection has become a necessity.
Chuli – In March of 2013 we witnessed one of the first targeted attacks using Android malware. According to Kaspersky labs “a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list.” The email contained a malicious APK file that appeared to reference a recent human rights conference in Geneva. This malicious file was in fact both a Trojan and spyware; once installed on the device the Chuli Trojan-spy would steal the SMS messages, call logs, contacts, and location of the device (along with some device specific information like model and android OS) and forward it to a remote command and control server. This command and control server is located in California but was owned by a Chinese company based in Beijing.
FakeKaKao – In April of 2013 Tibetan activists were wise to the Android malware game and had selectively chosen an application called Kakoa Talk to communicate messages, images, videos, etc. Other applications were avoided due to the Chinese government putting pressure on manufacturers to allow them to monitor the application traffic. Kakao Talk was presumed safe until a Tibetan representative of parliament in exile received an email that contained a malicious “security update” for the application. The fake security update dubbed FakeKakao was also a Trojan spyware application. Once installed on the device the spyware would monitor and steal the device contacts, SMS messages, and and the cellular network location of the device. This stolen information is then forwarded to a remote server controlled by the attackers. It is speculated that the cell network location would only be useful to an attack that had knowledge of the cell network and could use this information to locate the victims. Further speculation by citizenslab.org suggests that this was actually a targeted attack by the Chinese government towards the Tibetan group.
BadNews – This threat is one of those Android threats that blur the lines between malware categories. In mid-April 2013 Lookout discovered the BadNews Adware/Trojan. Badnews was essentially a malicious adware network used to in a series of 32 applications published on Google Play. Unlike other adware networks, Badnews was used to distribute SMS Trojans.
The Badnews applications would collect potentially sensitive device information and contact a remote C&C server. The C&C server would then issue commands for the Badnews application to display an advert on the infected device. Often the advertisement that was displayed was malicious and would declare that “update” was required for several popular applications. A link to the “update” was included in the malicious advert, if the user clicked this link an SMS Trojan would be downloaded to the device with an innocuous package name such as “Skype_Insataller.apk.” The SMS Trojan would then commit premium Service fraud and send SMS messages to premium SMS services and incur additional charges to the victim’s mobile phone bills.
It is unknown how many individuals were victimized by the SMS Trojans distributed on the Badnews network. However, it is known that applications containing the Badnews ad network were downloaded between 2 million and 9 million times combined making Badnews one of the most wide spread Android malware infections to date.
Obad – In June Kaspersky Labs researcher Roman Unuchek uncovered the Obad Trojan. Obad will perform the usual malware tricks and send SMS messages to premium rate SMS services, download and install additional malware without the user’s knowledge and steal information from the device. Unfortunately that’s not all; this Trojan also exploits previously unknown vulnerabilities in the Android security model, actively disrupts commonly used analysis tools, uses unusually advanced code obfuscation, and can spread via Wi-Fi and Bluetooth. Obad is the undisputed belt holder and champion of “Most Sophisticated Android Trojan.”
Due to a previously unknown vulnerability the Obad Trojan is nearly impossible to uninstall. When The Obad Trojan is installed it requests Device Administrator privileges. Any application that is granted Device Admin privileges cannot be uninstalled until those privileges are revoked. Revoking Device Admin privileges is normally done by going to the Settings/Security/Device Administrator menu and removing the application from this list. The Obad Trojan exploits a security vulnerability that allows it to remove itself from the Settings/Security/Device Administrator list while maintaining the Admin privileges. The user of the device cannot revoke the Trojan’s Admin privileges and cannot uninstall the Trojan without doing so.
The Obad Trojan will harvest device information and establish a connection to a remote command and control (C&C) server. This server can issue any of the following commands to be executed by the Trojan:
- Compose and Send SMS messages to phone numbers specified by the C&C server (response messages will be monitored and deleted)
- Test C&C server connection
- Retrieve and send the user’s phone account balance
- Act as a proxy
- Connect to specified URL
- Download and Install additional malware
- Send list of installed applications
- Send user’s contacts
- Execute any device function
- Send files to other Bluetooth devices
To make matters worse Obad will also execute an SUID command which can potentially grant the Trojan root privileges of the device. If the Trojan successfully obtains root privileges it will be able to perform any device function. Root privileges are serious business and allow the Obad Trojan to download and install additional malware to the device without the user’s knowledge or consent.
Obad is capable of spreading to other devices that are connected to the same Wi-Fi network or via Bluetooth. The Trojan will copy itself and any other malicious applications it may have installed from the C&C server and transmit the copied malware files to other connected devices.
Finally, Obad makes analysis by malware researchers a frustrating affair. Obad uses an advanced level of obfuscation that makes the code much more difficult to analyze, some of the code is even encrypted multiple times for further obfuscation. Additionally Obad exploits another previously unknown vulnerability in software called DEX2JAR (commonly used by researchers to crack APK’s and extract the original source code) that disrupts the conversion from Dalvik code to, more easily analyzed, Java code.
Thankfully the Obad Trojan has not yet infected a significant number of devices. However, if the Obad Trojan were to become more prominent it would be an outright nightmare.
AntiObScan – In another example of a targeted Android malware attack fans of popular musical artist Jay-Z fell victim to the AntiObScan Trojan. AntiObScan was discovered in early July of 2013; the Trojan was pirated version of the application “Magna Carta Holy Grail’ which contained an advanced copy of Jay-Z’s new album exclusively for Samsung users. The AntiObScan trojanized version of the application waited for July 4th 2013 and changed the wallpaper of all infected devices to an anti-Obama image. The wallpaper image referenced the NSA spying scandal that was exposed in mid 2013. The wallpaper contained the following messages:
- YES WE SCAN (an alteration of the Obama campaign slogan Yes We Can)
- OBEY US
- WE ARE WATCHING YOU
This Trojan also registered a new service on the device called “NSAlistener” which actually had no affect on the device but was surely worrisome to the victims of this Trojan.
This Trojan is another example of a very specific attack having wide spread affects. The legitimate Jay-Z application was very popular but was only available to Samsung users; the malware author exploited the desire of non Samsung users to get the exclusive application and spread a political message via an Android Trojan. Android has become so popular political activist are becoming malware authors to spread their message. Watch out world.
Android Malware is Here to Stay
This was previously mentioned at the beginning of this article but it’s worth mentioning again. The majority of the threats discussed in this article are still active in 2013, the exceptions being any malware that was set to execute its payload on a specific date and the DROID09 phishing scam.
In this article we covered 19 Android malware families; it should be emphasized that there are a great number of Android malware families that were not discussed. Armor for Android detects approximately 280 unique Android malware families with an endless number of variants in each malware family. The threats discussed in this article were selected for a variety of reasons. Some were selected because they were the first of their kind, others because they were highly malicious or they affected a large number of people. Some were simply selected to lighten the overall mood of this somewhat doom-saying article. The 260+ malware families that did not make it into this article are just as much a threat as the ones that did.
Google makes a valiant effort to curb malware and protect users by developing and improving the Android operating system. Only 12% of Android malware target the Android OS Jelly Bean (4.1.x or 4.2.x). It would be great if all Android devices operated on Jelly Bean, or even the majority of devices. But 62% of all Android devices operate on older versions of the Android OS leaving them exposed to a vast landscape of Android threats. The reason there are so many devices running on an older version of Android is that Google officially releases Android updates but it is your mobile service provider that pushes these updates to your device. Often mobile service providers will take time to customize the update before pushing it to their customer’s devices and this process can delay the update significantly. Mobile service providers are also notorious for not sending updates to devices older than 24 months old which leaves older devices vulnerable.
Regardless of which version of the Android OS is running on your device we recommend that you use an antivirus application of some kind. At Armor for Android we are proud of the product we produce and we recently received a 98.2% detection rate in an independent test performed by internationally recognized AV-Test.org. However, if you should chose not to use our product please use some kind of AV application on your device. Don’t be a victim of Android malware. ♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA