Malware, Malware, and More Malware:
If you’re staying up-to-date with the latest cybersecurity news, then you’d know that Google’s Android OS is receiving a lot of unwanted attention. Just recently, it was discovered that Android devices are the most susceptible to the recent Wi-Fi KRACK attacks. You can read more about that in my earlier post, All Wi-Fi Networks are Currently Vulnerable to Attack. Anyway, it seems like almost every other day, The Hacker News is publishing something about the Google Play store and its prevalent malware issue. This isn’t something new, it’s been going on for quite some time.
Last April, the U.S. Dept. of Homeland Security Science and Technology (DHS-ST) released a “Mobile Device Security” study for U.S. Congressional review. As its name suggests, the study assessed the current threats facing the U.S. government’s use of mobile devices. Though the study identified numerous threats, the DHS-ST listed mobile application security as a top-five concern, including malicious Android applications, exploitable mobile public application stores, vulnerable applications, and questionable third-party application stores.
Other threats were concerned with how Android stored its personal data in unencrypted format, assigned unsecured file permissions, wrote sensitive information to systems logs in plaintext, and its unresolved Web browser vulnerabilities.
However, the DHS-ST was particularly interested in applications that would grant access to sensitive information, such as text messages, call logs, location, camera, and calendar data. At the time, the DHS-ST made a note regarding the DressCode Android malware plaguing corporate networks, which amplified the need for Android anti-malware technologies.
Despite the government’s concern for malicious Android applications, many Android users are blissfully unaware of how much malware is actually in the Google Play and third party application stores.
The most upsetting and malicious Android applications appear to target financial institutions. Last April, a malicious Android application was discovered stealing customer banking credentials and credit card numbers from over a dozen banks around the globe. According to the report, the malicious application was sending phishing messages to look like legitimate bank login account pages. More specifically, this application was using pharming attacks to trick its victims into revealing their bank credentials.
To the distress of banking customers, Android banking malware is still on the rise. According to Global Banking News, researchers discovered leaked source-code information to dangerous Android banking Trojans on a well-known hacker forum. This news comes after Australia’s four biggest banks were negatively impacted by malicious Android applications.
Also, this year, Google discovered a version of Pegasus on an Android application, making it an exceptionally dangerous application to U.S. government employees. Pegasus is a type of spyware developed by an Israeli surveillance group. It has the capability of stealing call logs, text messages, Facebook and Skype messages, and can even take control of an Android device’s camera and microphone. It’s most alarming feature comes from its proficiency to carry out keylogging, screen shots, and its ability to self-destruct when required.
Similar malicious Android applications believed to originate from Russian malware developers were also found on Android devices last year. This is concerning evidence that some theorize could tie Russian intelligence to the DNC hacks and the U.S. presidential election.
But, Google Play is Safe…Right?
Android Users believe that they can trust Google Play apps, but this is far from the truth. Just this month, 1 million Android users on Google Play were tricked into downloading a malicious duplicate of “Whatsapp,” which is a very, very popular messenger app. Fortunately, this app was not “malicious,” per se, but I can’t say the same for the next several examples.
Last month, Check Point security firm identified at least 50 malicious apps in Google Play that were downloaded 4.2 million times before Google removed them. The malware discovered in these apps is nicknamed “ExpensiveWall” since it secretly registered victims for paid online services. It also includes another lovely feature that sends fraudulent premium text messages from the victim’s smartphone, leaving them to pay the bill.
A few months ago, “WireX” was detected in Google Play, and once infected, the Android user is recruited into a botnet. WireX has been known to use its botnet for DDoS attacks.
Around the same time, Lookout security firm researchers discovered thousands of applications, both in Google Play and in third party application stores, infected with the “SonicSpy” spyware. SonicSpy contains 73 different remote instructions that allow it to hijack your microphone and the device camera, record calls, take snap shots, track user location, send out text messages, and grab information regarding the wireless AP the infected device is connected to.
In early June, over 800 different apps in Google Play were discovered to contain the “Xavier” malware. Again, that’s 800 DIFFERENT apps! And, they were downloaded millions of times! Xavier comes from a malware family designed to conduct remote code execution and steal sensitive information off of the infected device.
In August this year, another 500 different apps in Google Play were discovered to be carrying the “Lgexin” SDK. Lgexin was originally thought to assist app developers with target advertisements; however, the Lookout mobile security firm discovered Lgexin-integrated apps were communicating with malicious IP addresses. Once infected, devices could be remotely installed with additional malware.
So, it appears the Google Play store is not as safe as we thought.
Why are Android Devices So Susceptible to Malware?
Google’s anti-malware precautions are inadequate and most third-party application stores take ZERO precautions to anti-malware. The fact that Android users are even allowed to download apps outside of Google Play is a big risk in itself. Google also refuses to be restrictive for unknown app sources. It seems almost anyone can develop an app and have it published in Google Play. As long as the app developers can encrypt their malicious code, or obfuscate it in some way, then they can circumvent Google’s anti-malware scans.
When we plug or connect malicious mobile devices into our corporate networks, security administrators have to be especially cautious to ensure that the device is properly scanned for malware and given the good-to-go before granting it access to the network. Fortunately, we have mobile device management tools and policies to ensure proper security methods are in place. Mobile devices will need to be pushed with the latest updates and signatures, and will also need to be monitored for application control.
Because of this, the DHS-ST is requesting a larger focus on the lack of mobile application security, especially in the case of the malicious applications inside Google Play. Many programs offered under the DoD, DHS, NIST, and the Cloud Security Alliance will assist in the matter. As an extension, the DHS-ST offers its best-practice mobile security recommendations in its Cybersecurity Strategy and Implementation Plan (CISP).
How Can Android Users Protect Themselves?
Android users should be cautious about the types of apps they download onto their devices. If they are suspicious, or simply just apps you can do without, then do not download them.
Also, use common sense. Never grant an app permission to access a utility it has no business accessing. For example, a wallpaper app has no business requesting access to your camera, microphone, or contact list. That should be a big red flag right there.
Most importantly, Android users should stop downloading apps from outside of Google Play. Google Play may not be 100 percent safe, but it is definitely safer than third-party app stores or apps you download off of a search engine.
Should you use an anti-malware scanner? That is a tough question. I have a bone to pick with some of these anti-malware apps as most of them are designed by amateurs.
The DHS-ST leaves some best practice recommendations, which includes restricting apps from accessing your e-mail, calendar, contacts, camera, and GPS.