OFFICIAL SECURITY BLOG
July 25, 2014 | BY Armando Orozco
We hear a lot about the high amount of Android malware running rampant. An interesting tidbit is a vast majority of malware doesn’t need any special ‘magic’ to behave maliciously. They use existing functionality to attack users, functionality available to all developers.
We’ll take a look at a couple of these methods in which malware is able utilize, once their permission request is granted and the app is installed.
This first method is monitoring incoming SMS. Malware can use SMS to send premium messages, sign you up for paid services, send spam, and a lot more.
Let’s look at the RECEIVE_SMS permission, used heavily by bank Trojans to capture authentication codes and other information related to an account. With this permission granted the malware will create a ‘Receiver’ to monitor incoming SMS.
Once an SMS message is captured, it can do a variety of things like abort the message notification, delete, and collect the contents of the message.
The example here shows how a Korean bank Trojan collects an incoming SMS message, sends to a remote server, and then aborts the notification. The data sent includes the compromised device’s phone number, incoming number, and message contents.
Many apps request to send or receive SMS so the permission request can often be overlooked when installing. The challenge is we can’t see what goes on behind the scenes so SMS could be sent, received, deleted, and contents sniffed without our knowledge. We just have to hope Google is keeping us secure.
Another feature exploited is the security setting “Device Administrators.” Introduced in Android 2.2 it was put in place to help IT department’s better secure corporate Android devices. When an app is defined here, system administrators can enforce policies for devices such as password strength, locking device, and remote wipe.
When an app is listed as an administrator it needs additional steps to uninstall, the app must first be deactivated from Device Administrators.
Malware authors typically use this functionality to prevent an app from being uninstalled.
In this example, Device Administrator is used to prevent uninstalling as usual, but by monitoring events such as the Action DEVICE_ADMIN_DISABLE_REQUESTED, this ransomware is able to block the deactivation attempt. Even in Safe Mode, where only system apps should be started it is able to block deactivation, making this guy even more difficult to remove.
Ransomware, like Koler, SimpLocker, and FBILocker, are becoming more of a nuisance incorporating methods like this, making them even more difficult to remove. Early variants would not block a users access to the device, so if you didn’t fall for the scam you could easily uninstall.
You can review which apps you have installed that are Device Administrators through your Android settings. Settings -> Security -> Device Administrators.
These are just a couple of examples of how malware uses existing Android’s features in malicious ways. We suggest you review permissions before installing apps and backing up your data.
Give a second thought to apps requesting to be Device Administrators.