Skip to content

Facts about Android Security and Malware – Types of Malware

K

While browsing social networks, it is not common for users to point out that Android is a security mess with no data to actually back those statements up. Some users try to fabricate facts without doing any research. Over the next few weeks, I will be releasing a series of posts on KMyers.me called “Facts about Android Security and Malware” to try to shine some light on this and hopefully debunk some of the data that it floating around and to help users understand more about the security of their mobile devices.

Disclaimer: This Page Has Been Archived

Please note that this blog post has been archived and may contain information that is outdated, defunct, or covers topics that are no longer of interest. It is being kept available solely for reference purposes, in case others might find portions of it useful.

For more recent and up-to-date tutorials, I recommend visiting KMyers.me or other websites that specialize in the topic you are interested in. It is always advisable to seek the most current information to ensure accuracy and relevance.

In this first installment, I would like to make sure that we are all using the same common vocabulary. This post contains several of the common types of Android Malware as well as details for each. In future posts, I will be going over best practices to avoid malware and to explain why many of the details floating around the internet are not based in facts.

As a disclaimer – I am a huge Android Fanboy and will be doing my best to produce well researched and objective content for this series – each post takes several hours of research and writing. This series is mainly about Android however a lot of this could apply to other platforms. If you happen to spot any errors or content that you disagree with, please feel free to get in contact with me via my contact page, social networks or simply leave a comment below.

Adware

If a user installs Adware on their phone or tablet, they will start to receive advertisements in various places such as the notification shade, lock screen or widgets on the home screen. While Adware is typically more annoying than dangerous, it could potentially use a specially crafted notification that tricks the user into installing additional malware such as fake Android Update Notifications.

Adware can be installed from various sources such as the Google Play Store, third party app stores and by downloading applications from un-trusted sources. Google does restrict some forms of Adware on the Google Play Store such as those that add items to your notification area. In most cases, you will get the worst forms of Adware by downloading pirated applications from third party sources.

Adware is the most benign form of malware that can exist on Android as it can be easily removed by uninstalling the infected application.

Some examples include AirPush and Shedun

Ransom Ware

This form of malware has been very popular on desktop computers for several years and is beginning to make its way over to mobile devices. This form of malware hides or encrypts user data on the device and offers to un-encrypt the number for a nominal fee, often paid in bitcoin or moneypak cards. Modern versions of Android do a great job sandboxing an application however when combined with a Root Level Exploit, it can easily break out of the sandbox.

Many of these applications attempt to make the user think that their device has been seized by law enforcement and that their data will be released upon paying a fine. These fake law enforcement messages often site things such a possessing child pornography as the reason for the fine. The fine is often around $200. Furthermore, these applications also threaten to send SMS messages to your contacts with the details of your alleged crimes to your contacts as a way of pressuring you to pay the fine.

Infected applications are typically found on third party websites offering pirated applications and games.

Removing Ransom Ware is best done by re-flashing your device to a factory firmware and hopefully you have a backup of your content handy to restore.

Some examples include Reveton and SimpleLocker

Premium Services

This is a broad class of malware that relies on calling telephone numbers or sending SMS messages to premium services that cause charges to appear on a customers bill. These charges can often range from a few cents to several hundred dollars. These services essentially turn your phone into an ATM machine.

SMS based attacks are the most common as they can be done in the background without any interaction by the user. The malicious application will send anywhere between 1 to several hundred messages per month that can cost the user anywhere between 25 cents and $5.00 each. Many attackers tend to limit the number of messages sent per month in the hopes that the customer does not notice a slight increase in their monthly bill.

Premium Phone Call attacks are not as common but do occur from time to time. Once a user is infected with a malicious application, it will force the phone to call a premium rate phone number for anywhere between 1 to 15 minutes during times where the phone is not in use (such as while the attacker is asleep). These tools will then erase the number from your phones call history to prevent being noticed.

While a malicious application is sometimes used (hence why it is listed on this list), the more common method is for an attacker to send thousands of SMS messages to victims with vague text such as “are you there” or “hello”, the victim is then compelled to respond to the message or call the number thus incurring the charge. A similar attack can also be done by the attacker calling hundreds of numbers and hanging up immediately, the victim is then compelled to call back the missed call. Malicious Remote Administration Tools can also be used to trigger calls and SMS messages to premium numbers.

Infected applications are often obtained via third party websites that offer pirated games although it is possible to find these applications in trusted application stores.

In the case that a malicious application is used to trigger premium SMS or phone calls, removing the application is typically all that is needed to stop future charges. Furthermore, a call to your carrier may result in them reversing the charges. Some carriers also allow customers to proactively block calls and SMS messages to premium services.

Remote Administration Tools (RAT)

Remote Administration Tools can serve both good and nefarious purposes. These tools can allow a user to remotely access their phone for the purpose of tracking down a lost phone or to access content in the event they left their phone at home. Unfortunately Remote Administration Tools can also serve a darker purpose by allowing other people to track a users location, read text messages, access photos stored on the device, capture audio recordings, activate the camera, install new applications and more. In many cases, the tools used by both types of users are identical – it is only the use case that changes.

The most common good use cases for Remote Administration Tools are : users who wish to have access to their phone from any computer and parents who which to track and monitor their children’s mobile phone use if they happen to supply phones. Remote Administration tools specifically appeal to parents as it allows them to read text messages that are sent and received from their children to ensure they are not communicating with people they should not, furthermore it allows them to see the location of their kids at any given point. These tools are also great for tracking down a lost phone and wiping the phone of sensitive content if required.

The most common nefarious use for Remote Administration Tools is by people who suspect their spouse may be participating in an affair as it will allow the spouse to view the call history, read SMS messages, view photos stored on the device and to see the devices’s location.

It is relatively easy to install a Remote Administration Tool as they are freely available on the Google Play Store. Furthermore Remote Administration Tools can often hide themselves on the device by not showing up on the launcher or by masquerading as a legitimate looking app such as the calculator.

Although not common but also not unheard of, Remote Administration Tools can also be embedded into modified APK files obtained from websites offering pirated applications and made to act as a makeshift backdoor for use by an attacker. When this method is used, it could be used in conjunction with a Root Level Exploit to allow an attacker to gain a remote root console to your phone. This is form of attack can be used to create a BotNet with mobile phones and tablets.

Removing a Remote Administration Tool is normally easy. The steps normally include disabling Administrative Access and to the tool and uninstalling the application via the Application management screen. Remote Administration Tools that have been installed without the user knowing could be a bit more difficult to remote but many will not survive a factory reset. Remote Administration Tools that have been installed via a Root Level Exploit can be very difficult to remove without re-flashing the factory firmware.

Some examples of Remote Administration Tools include : Cerberus, AirDroid, MonitorDroid and Prey.

Root Level Exploits

Much like Remote Administration Tools, Root Level Exploits are tools that can be used for both good and evil. These tools are often used in “One Click Root” tools on popular sites such as XDA-Developers to allow users to root their devices. These tools work in multiple ways to abuse weaknesses in Android or more commonly manufacturer installed OEM frameworks such as MotoBlur, Sense or TouchWiz. When these exploits target weaknesses in Android, they are often fixed with later Android releases.

These tools can also be used in malicious ways by application developers to gain access to your phone to install backdoors. These malicious applications often take the form of pirated applications or applicationsthat claim to allow you to cheat on games/give free in-game currency or to bypass In-App-Purchases.

Root Level Exploits for legitimate use can be obtained from several sources such as XDA-Developers.com

Root Level Exploits for malicious purposes are often found on websites offering pirated applications or “warez” sites. Although not unheard of, these applications are not found on the Google Play Store or Amazon App Stores. Getting infected with this form of exploit is not always easy as a user would normally be required to disable some of Androids built in security features such as allowing applications to be installed from unknown sources and potentially granting “administrative” access to the application.

Recovering from a Root Level Exploit is not easy as many write to the /system/ partition which allows them to survive a factory reset. The best way to recover your device is to re-flash the device with a fresh copy of the factory firmware. This is relatively easy on Nexus Devices but not always as easy with other manufacturers as some do not release factory recovery images. It is best to refer to the device specific section of XDA-Developers.com for the instructions to recover your device.

Some examples include: TowelRoot, Rage Against the Cage, ZergRush, MotoChopper, Dirty Racoon and Gingerbreak.

Spyware

Unlike a Remote Administration Tool, Spyware has no legitimate use cases. These tools often include many of the feature sets of Remote Administration Tools to allow an attacker to monitor a users device. Spyware is often installed without the user knowing and can be used to monitor locations, text messages, phone calls and other forms of sensitive communication. The data can be used for various things such as marketing.

Although disputed as malicious, some US carriers were caught installing an application called Carrier IQ on mobile phones and used this software to track their users on their network. The carriers claimed that the data collected was solely for the purpose of understanding network use to improve their network however tear-downs of Carrier IQ show that this software was capturing SMS messages, call metadata and much more. In my opinion, as this software was installed without the consumer knowing and with no way to opt-opt, I must classify this as Spyware as it exhibits a dictionary definition of spyware.

Removing Spyware is best done by flashing factory firmware or by using an aftermarket firmware in cases where your carrier installs spyware into the default factory image.

Some Examples include : Carrier IQ

Worms

This is a generic category that I placed on this list as it is commonly used by a few of the other types of malware on this list as a method to spread. This involves a piece of malware harvesting your address book to send SMS messages from your phone number to your contacts in order to convince them to install the malware on their device. These SMS messages will say things like “I found this great game you should check out” or “Here is a sensitive document for you to view but you need to install a viewer” – both of which contain a link to download the infected application.