Beware Angry Birds Help Offers: Malware in Disguise
Google removes more malware from Android market after university researchers identified background spy apps--including one that used Angry Birds frustration as bait.
Xuxian Jiang, an assistant professor in computer science at North Carolina State University, last week found 10 applications infected with malware in the Android Market. On June 5, he reported it to Google, which suspended the applications on the same day. Jiang also contacted mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, CA, SmrtGuard, Juniper, Kinetoo, Fortinet, and others.
What is this latest threat?
In a blog post published last week, Jiang explained that this new malware, which his team named "Plankton" (after the pesky Spongebob character?) doesn't attempt to root Android phones. Rather, it was designed to run in the background secretly.
"Plankton is the first one that we are aware of that exploits Dalvik-class loading capability to stay stealthy and dynamically extend its own functionality," wrote Jiang. "Its stealthy design also explains why some earlier variants have been there for more than two months without being detected by current mobile anti-virus software."
This particular piece of malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game (Angry Birds itself was not infected).
What does it do? Once the malware is fired up by the users, it loads a background service. That background service application scours the device for user data, including the device ID code, and reports it back to a remote server. The server parses the data and then sends a link back to the malware, which downloads an executable and then runs nearly invisible in the background.
The application then starts collecting more data, such as browser bookmarks, browser history, home page shortcuts, and runtime log information.
Jiang's team also found some pretty scary stuff. "During our investigation," he explained, "we also identified an interesting function that if invoked can be used to collect user's accounts. Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user's accounts or even launching root exploits into reality."
Considering the type of accounts people access from their smartphones these days--business servers, email, social networking, banking, etc.--this is cause for real concern.
Google has removed the infected applications. Just two weeks ago, Google suspended 26 applications. In March, Google removed 50 poisonous apps from the Android Market.
Why is the Android Market facing these issues when Apple's App Store seemingly isn't? The Android Market is appealing to the nefarious for all the right reasons. It is open (Google doesn't curate it), it is everywhere (on millions of smartphones), and it is monetizable (can be used to charge user accounts and steal real money). Norton sees the problem growing before going away.
Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.