New Android Malware Has Costly Twist - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New Android Malware Has Costly Twist

"Polymorphic" malware, tweaked frequently, sends SMS texts to premium-rate numbers until smartphone owner's account balance is depleted.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Beware the rise of polymorphic malware on Android smartphones.

That warning comes via security vendor Symantec, which said it's seeing malware-obfuscation techniques honed by PC attackers being used to develop malware that targets smartphones and tablets that run the Android mobile operating system.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection," according to a blog post from the Symantec security response team. "We are now seeing this same technique being used for malicious Android applications hosted on Russian websites."

The new malware, dubbed "Android.Opfake," is typically advertised as being a free version of some well-known Android software, available by clicking on a provided link or button. But in reality, said Symantec, the only software that then downloads is a Trojan app that's designed solely to surreptitiously "send SMS texts to premium-rate numbers," until the smartphone owner's account balance is exhausted.

[ Despite accusations that 13 ad-supported Android apps are malware, Google said Counterclank Apps To Remain In Android Market. ]

Speaking last year about mobile malware trends, Denis Maslennikov, a senior malware analyst for Kaspersky Lab, said the problem of premium-rate-dialing malware began in 2008. "Russia and the Ukraine, and other Eastern European countries, have some problems with legislation, which allows cybercriminals to rent premium rate numbers anonymously. That's why they're able to create SMS Trojans that send SMSes to premium-rate numbers," he said.

But the problem remains confined largely to those countries, he said. "In other countries, like any Western European country, or the United States, Canada, Australia, it's impossible to rent this premium-rate number anonymously."

In the case of Opfake, however, Symantec said the code now includes premium-rate numbers for not just Russia, but also Australia, Taiwan, and a number of European countries.

Interestingly, the malware developer appears to manually modify it every few days. In addition, the servers that host the malware also use three techniques for varying the attack code upon download: altering data, reordering files, and inserting fake files.

Data variation is the simplest technique, and may involve just varying one file, which would be enough to fool a signature-based virus scanner. In one file examined by Symantec, interestingly, the file that was varied "contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware." In other words, attackers are varying not fake data, but actual data that the malware relies on when launching an attack.

Another technique, meanwhile, simply reorders code and data files before creating the Android package (APK) file that gets downloaded. According to Symantec, "when the package is created, the differences in file ordering will cause different manifest and signature files to be created."

The final technique involves inserting temporary files into the APK. "We have seen upwards of 40 of these dummy files in a single package," said Symantec. "However, the number of dummy .temp files may change with each download, providing even more permutations each time the application is downloaded."

What's the best way to stop server-side polymorphic malware? While mobile antivirus scanning software can help, Symantec also recommended only downloading apps from trusted markets, and being discerning before granting any permissions to an Android app. Notably, even Android.Opfake must request permission to send SMS messages, and of course in this case that permission can--and should--be denied.

Email encryption, rights management, email gateways and full-on data loss prevention systems can keep corporate data secure. Consider the pros and cons of each to determine what's best for your business. Download our Email And Data Loss report. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/7/2012 | 1:46:25 AM
re: New Android Malware Has Costly Twist
This isn't too surprising that this would happen. The advice at the end is sound.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll