So I’m looking at this ad network, and I notice that some of its ads lead up to an Android binary download. Shady, right? Just the fact that there is an ad leading to a sideloaded APK is already pretty disturbing. I look around, find a whole family of those apps. For each app, at least half of all Virustotal vendors mark it as an SMS trojan, and so does Lookout.
So we contact well-meaning people who might be interested in hearing about those apps. They tell us it’s a false positive. I go back saying there is no way this could be a false positive, these apps send paid SMS messages and are recognized by top vendors as an SMS trojan. They argue back and still claim it’s an FP. So I run one of the apps in a sandbox, it’s basically a bunch of porn, but the first thing that shows up is a warning saying if the user continues with this app, it will charge X dollars via paid SMS for each video viewed. So I guess if they warn the user upfront about this, then they are legit?
So it seems, in this particular industry, it’s one way to bill the users. So going back to the
definition of mobile malware, how on Earth were the AV scanners supposed to read that initial warning to the user? By all characteristics available to machines, this app looked and acted exactly like an SMS trojan. That’s more bad news for mobile antivirus: since a large part of apps’ functionality is hidden on the server side, unavailable for signature matching, you end up over-analyzing whatever is left accessible to you on the device and detection starts to fall apart.
So contrary to some FUD reports, Google Play stays relatively malware-free. Which makes long-running apps like this one especially puzzling.
Enter The Videos Mania, which is active for at least about a year, has been downloaded between 100k and half a million times, and has ~7000 likes on Google+. Its developer has 8 other apps like ringtones and wallpapers, all of which require SMS permissions and all are reported as trojans by Lookout, though the Videos one is by far the most popular. The dude didn’t really bother fudging a proper-looking certificate, simply signing his creations as “DN: C=xx”.
This Videos app is marked by 31/54 Virustotal vendors as an SMS-sending trojan, so I’m just curious, doesn’t Google like own VT? Don’t they VT-scan the apps? Or maybe they do it once during app version releases, and if there are no VT alarms at the time, they never re-scan? Not sure, that doesn’t sound like Google. But here we are with this app, and some more of my favorites coming up in future posts.
Sifting through endless Virustotal scans, you realize that it’s not easy at all to define what exactly mobile malware is. Literally 90% of antivirus-reported malware APKs are nothing but trivial or repackaged apps with some annoying adware library slapped on top of it that doesn’t even do anything really bad. Why exactly is mobile malware so elusive and not as clear-cut as the good old desktop viruses? A couple of things come to mind:
- The juicy parts often stay remote: unlike the classic desktop viruses and rootkits, a lot of mobile functionality remains on the server. So an app collects your banking password and sends it to server, that’s bad, right? Not if it’s a Bank of America server. What if it’s an Akamai or an EC2 server? What if it’s a Mint finance app server? This gets blurry really fast. Same with location apps – when an app constantly sends your location to a server, it’s cool if it’s your own account, and it’s suddenly not cool at all when someone else has access to that information on the server. Hard to automatically tell that just by looking at the mobile app tip of that iceberg. That’s why AV vendors came up with a euphemistic label “surveillanceware”, which means, “I have no idea if this app is bad or not, you have to look at it in your own context”.
- No need to get sophisticated: most of what’s labeled as mobile malware are small-time scams. In the mobile world, there is no such thing as a multi-million dollar botnet industry commercially used for:
- running spam
- staging DOS attacks
- collecting and laundering information
I guess mobile can be useful only for the last point right now, we’ve yet to see the first two on mobile. So no need to build autonomous sophisticated botnet clients that pack tons of revealing functionality and patterns with them. Consequently, a lot of mobile scams look rather plain and not very different from regular apps.
- No silent infections: it’s pointless to do port scanning and hard to use drive-by browser exploits on mobile. Combined with no incentive to make things complicated, the main vectors to get into someone’s phone are social engineering and brand abuse. Both of those are difficult to detect automatically, leaving a huge gray zone. Even the SMS scams: lots of legitimate apps have “share via SMS” functionality, good luck telling that from malware propagating itself via SMS, or sending messages to paid numbers that only become plaintext right before the message is sent.
So this leaves the traditional antivirus vendors especially helpless on mobile, best they can do so far is to report noisy adware or a few true malicious outliers that get outside the gray zone.
With Google Play tightening the security side with Virustotal and Bouncer (when the latter doesn’t crash, that is), you don’t see as much outright malware in that store anymore. However, one type of scammy apps that I still run into every week or so on Play are the ones that wrap some popular service, trying to get a cent or two from Admob.
Basically, it takes about 15 minutes to wrap any popular bank’s or web service’s mobile version in a WebView, stuff it with official-looking keywords, logos and descriptions, and publish on Play. Google can’t really do anything about it short of manual review of every single app. So anyone in the world (including some really not-so-well-off countries) who can write “hello world” for Android and subscribe to Admob, can then whip up a fully functional wrapper of a bank’s website, publish it in the US on Play, get a few hundred downloads from searches, and start collecting the Admob revenue.
For an extra bonus, they can also resell their install base to the real bad guys who can push a small update to the app and start stealing the actual credentials of the bank’s users. I don’t see an easy solution to this except the brands monitoring popular stores, and also trying to limit access to their services via WebView-like clients to at least raise the bar a bit for scammy developers. Because right now publishing a legit-looking service clone is ridiculously easy.
This year-old scam has resurfaced very prominently, and I’ve run into it on various websites that show Yahoo ads, indicating pretty massive malicious advertisement volume. A browser pop-up says the following:
Virus Affecting your Android? Turn on Virus Scanner NOW!
If you click “OK”, you can be taken to a variety of destinations, including:
- a spammy but legit-looking dating app on Google Play with 50mil(!) downloads – I’d imagine malicious ads are partly responsible for that number, maybe via an affiliate?
- a selection of some shady dating/porn sites
- and best of all, a step-by-step guide for you to enable app install from unknown sources on your phone, and download a modified version of “Android Armour” APK binary with God knows what added functionality:
Very impressive, considering these friendly folks are basically talking people into opening up their phones to every other kind of evil garbage that comes up next.
I ran into this a bunch of times over the last few weeks, as recently as this weekend on Tumblr. I know Yahoo is trying to squash these as fast as humanly possible, but until then, beware. And again, in US, it’s a good idea to never install anything on Android from anywhere other than Play.
So there is this cheesy-looking but nevertheless apparently semi-legit quick app building toolkit called AppsGeyser. By an outfit with a spammy name of BestToolbars, hailing from Virginia. Or Novosibirsk, depends on how you look at it.
Anyway, it’s gained some prominence with tens of thousands of apps out there bundling their library. The problem is, from what I see, every third app that is based on AppsGeyser is blacklisted. It’s gotten so bad that some AV companies seem to blacklist apps just for their use of that library. So the question is, is AppsGeyser in on all that malware action, or is it simply preferred by hackers?
So apps are secure, because everyone gets them from the store, right? Um, no. That’s kind of the case for Apple’s platform, where you have to go out of your way to find malware, but with the Android shipments outnumbering iOS device shipments 6 to 1, the real fun for bad guys and researchers happens in the Androidland.
- Third-party stores – you’d be surprised to find out that besides Play there are 500 app stores out there, of varying degrees of shadiness and security practices
- “Review” forums and blogs – e.g., even a legit-looking site Androidpolice.com, who really should know better, instead of getting people into habit of only using Play, encourages them to directly download APKs from a weird-looking Androidfilehost.com “mirror”
- Sending download links via SMS spam
- Email spam – “email from dad” that passed all Gmail filters and let me download a malicious app binary on the phone
- Twitter – as a bad guy, you get some followers, then start spraying links like download skype for mobile, and you got yourself a nice little install base for your scammy app
- Ads on web and mobile, links on websites that redirect you to an app binary download
- More bizarre ways like infecting via Bluetooth apparently
Just by watching and scraping some of these you can build yourself a sizable library of some pretty nasty stuff. Just watching the Twitter feed for some of those scams is pretty fascinating.