featuredFEB

Android Malware Roundup – June 2014

By James Green ~ July 1st, 2014 8:00 AM MST

Summer Android(1)

June was a busy month, full of numerous new mobile threats. Ransomware style mobile malware took the media by storm and has become one of the most prolific new threat types of 2014. Sadly the reason ransomware has become so popular is because it is so effective, and yet if users backed up their data more regularly we could starve out the ransomware malware category. I cannot stress enough the importance of performing regular a backup on your device, this will save you total data loss and a major headache in the long run.

Below is a summary of the mobile threats discovered in June, 2014, presented in chronological order of discovery (to the best of my ability). Further information about each threat can be found by clicking the links provided in the sub-title or text. I love feedback and I am always happy to answer questions so please feel free to contact me via email or twitter.

Malware Pre-installed on New Devices

Brand new devices being sold in the US and UK on Amazon have been discovered hosting pre-installed Android malware. Ominously named ‘Skaynet,’ reminiscent of the Terminator self-aware computer program Skynet, these devices contain the Uupay Android Trojan disguised as the Google Play market.

The Uupay Trojan is capable of collecting a significant amount of sensitive device information and sending the information to a remote server located in China. The most dangerous feature of this malware is its ability to remotely install an application on an infected device without the user’s knowledge or permission. The remotely installed applications can have an endless list of malicious functions and may be capable of operating in the background, while the device owner is completely unaware of the malicious activity.

Snapchat Spam Promotes Android Malware

In late May, early June, it was discovered that spammers had taken to Snapchat and promised users free Google Glasses if they visited GlassforSnap.com. This website was hidden from desktop users but mobile users found the advertised website confirming the false promise of free electronics. The catch? Users needed to complete a single “sponsor offer” to qualify. The sponsor offer required the user download a particular application. 

flappytimeline

The application download process varied across operating platforms and between regions. GlassforSnap.com targeted only Android users in Europe, Asia, and South America with Android malware and sneaky premium SMS subscription services. All users who did not fit the scam profile were told that they did not qualify for the offer. In the end no users got a free pair of Google Glasses but a select demographic received Android malware and expensive premiums SMS charges on their mobile phone bills.

Mobile Ransomware – A trendy Threat

If a malware award show existed mobile ransomware would win ‘best newcomer.’ The first mobile ransomware threat was discovered in June 2013 but in recent months the malware category has seen significant growth. In June 2014 four new mobile ransomware threats were discovered.

CryptoSvpeng

The three Android ransomware threats (Cryptolocker,Svpeng, and Simplocker) lock devices (or encrypt data) under the pretense that illegal pornographic material has been discovered. The threats demand a fine be paid (of varying amounts) under the guise of an official sounding government agency.

Cryptolocker and Simplocker both lock the device but are incapable of encrypting files, both also demand payment via a payment system called MoneyPak (Cryptolocker demands $300 ransom, Simplocker demands $200 ransom). Svpeng is the first mobile ransomware threat capable of encrypting files and will do so to select files types found on the SD card of an infected device. Svpeng is the least costly, demanding roughly a $20 ransom through PayPal.

When Flappybirds Attack

We’ve reported on the Flappybird malware epidemic a few times. The reality is this, the official Flappybird game no longer exists on any mobile platform (for the time being). It is likely that any app claiming to be Flappybird is some form of malware (SMS Trojan, Spyware, etc). DO NOT INSTALL FLAPPYBIRD UNTIL FURTHER NOTICE.

South Korean Banking Trojan

Discovered by CM Security Research Lab, an application disguised as a game or a third party application market is stealing banking credentials from South Korean Android users. Once installed, the threat will detect if there is a legitimate banking application installed on the device, it will then suggest the legitimate banking application requires an update. If the victim confirms the “update” the Trojan will download a fake banking application to replace the legitimate one. The fake banking app will request the victim’s username and password, bank account number, and “bank security card number” and forward this information to the cybercriminals responsible.

Once the sensitive information is stolen the app displays a pop-up window stating “No Wi-Fi connection. Use 3G or try to connect to the Wi-Fi again.” Closing the pop-up window closes the app and removes the app icon from the app menu.

Banking Trojans are a particularly dangerous form of mobile malware and, unfortunately all too common. Reportedly this banking Trojan variant has already victimized about 100,000 South Koreans.

Government Condoned Hacking Team

Hackers and Governments seem like natural enemies, but on the contrary these two natural rivals are cooperating to the detriment of the public. Italian company ‘Hacking Team’ has created commercial Remote Control System (RCS) spyware which they are selling to governments across the world. The RCS malware is compatible with any mobile operating system platform (Android, iOS, Windows Phone, Blackberry), and reports stolen information back to C&C servers to be collected by potential government agencies.

top10

Kaspersky researchers uncovered a unique signature which they used to identify 326 RCS C&C servers worldwide. The country hosting the largest number of RCS C&C servers (64) was the United States, followed by Kazakhstan (49), Ecuador (35), the UK (32), and many, many other nations. While it isn’t possible to conclusively prove these C&C servers are owned by government agencies speculation suggests this is likely the case. The WHOIS information related to the C&C server IP addresses is identified as “government,” and hosting the C&C servers locally prevents entanglement in international privacy laws.

RCS malware can be installed remotely on mobile device connected to infected Windows and Mac computers. The malware is capable of monitoring almost all device processes incuding, Voice recording, monitoring email, SMS messages and MMS messages, web activity, call history, GPS location and even the device camera.

Android Selfie Malware

Believe in your selfie, but don’t believe in spammy malware. Selfmite is a SMS worm-style form of Android malware, proliferated through text messages from friends with infected devices. Adaptive Mobile, who discovered this malware, wrote that victims receive a SMS messages stating “Dear [NAME], Look the Self-time,http://goo.gl/******.” The link leads to a APK package called ‘The Self-Timer,’ this application is the Selfmite worm malware.

Once installed, the malware will send the same infection SMS message to all contacts listed on the device. Then Selfmite opens the device browser to another URL where it downloads and installs an application known as Mobogenie. The worm malware installs Mobogienie because it has a affiliate program that pays per install, Selfmite exploits this affiliate program to make money.

Android Protection

Android malware dominates the mobile malware landscape representing the vast majority of all mobile malware. Android users can take simple steps to avoid falling victim to this very real threat. Keep the following tips in mind while using your Android device to avoid an Android malware infection.

  • Install and use and Android anti-virus application on your device. Stay current with antivirus application updates to ensure that you are protected from the most recent threats.
  • Be sure to stay current with all other application and Android OS updates as these often contain patches for recently discovered security vulnerabilities.
  • Avoid downloading application from untrustworthy sources.
  • Review application permissions before downloading. Unnecessary application permissions such as a calculator application requiring SEND_SMS permission can be a red flag indicating malware.
  • Read user reviews of applications before downloading and look for a strong web presence. Applications without a developer website, Facebook page, twitter account, or customer support number should be considered suspicious.
  • Back up your data regularly to prevent data loss in the event of a mobile malware infection.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com, Twitter: @James_AfA