Mobile Malware : Malware On The Go Part 2
Continued from my post Mobile Malware : Malware On The Go Part 1
So what can mobile malware do ?
Malicious programs available on the official Android Market(now google play) became yet another headache in 2011. The first such incident was recorded in early March 2011, after which threats began to appear on the Android Market on a regular basis. Because apps are self-signed, there is no good way to verify that an application is coming from a trusted source. Theft of intellectual property is common, as rogue developers are repackaging versions of legitimate applications and selling them under their own names.
The most common malware are SMS Trojans that send SMS messages to premium rate service numbers as was demonstrated in a fake ‘instagram’ & fake ‘cut the rope’ app mostly found outside Google Play.
Plankton is a malware that exploits the Dalvik class loading capacity to remain hidden and dynamically extend its own functionality. Thus it can easily evade static analysis. Dalvik is an integral part of the OS. Android apps are converted into the Dalvik Executable format before execution. Plankton can further act by collecting the bookmark information on the infected device, installing or removing home screen shortcuts, stealing browser history information and collecting runtime log information.
Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular “Angry Birds Space”.(Uploaded on unofficial android markets)The Trojan horse, Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code. The Trojan communicates with a remote website in an attempt to download and install further malware onto the compromised Android smartphone. With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone’s browser. Effectively, your Android phone is now part of a botnet, under the control of hackers.
Backdoor Trojans on Android have gotten a bit more sophisticated: instead of performing just one action, they use root exploits and launch additional malware. Perhaps the best (and most serious in terms of functions) example of a backdoor was detected at the very start of 2012 on the RIC bot: Backdoor.Linux.Foncy. This backdoor was in APK Dropper (Trojan-Dropper.AndroidOS.Foncy), which in addition to the backdoor also had an exploit (Exploit.Linux.Lotoor.ac) in order to gain root rights on the smartphone and an SMS Trojan (Trojan-SMS.AndroidOS.Foncy).
Links to mobile malware apps have also been found on mobile facebook recently. The malware package was called any_name.apk. Once installed it appears to have been designed to earn money for fraudsters through premium rate phone services.
Keyloggers have also been spotted on Android. They capture all the data you enter in the keyboard.These can easily steal any data you type like passwords, banking data, etc.
Since, mobile apps can use Web View they can navigate to websites without even a browser bar thus making phishing pages even more successful thus making your passwords very vulnerable, since the mobile screen is much smaller than a PC’s.
We have also seen rare instances of QR codes being used to guide users to malicious websites.
The first attack using Man-in-the-Mobile technology took place in 2010. Perhaps among the most critical events of the past year was the confirmation of the existence of ZitMo for Blackberry and the emergence of a ZitMo and SpitMo version for Android. The appearance of ZitMo and SpitMo for Android is especially interesting, as they have the ability to spread very rapidly.
RIMs Blackberry also has documentation admitting “Potentially malicious users might create malware that is designed to steal personal data or your organization’s data, create a denial-of-service attack to make your organization’s network unusable, or access your organization’s network using a device.”
Credits : Wikipedia, Securelist
Part of my article in The Hacker News Magazine