Mobile
News
2/6/2012
11:32 AM
Connect Directly
RSS
E-Mail
50%
50%

New Android Malware Has Costly Twist

"Polymorphic" malware, tweaked frequently, sends SMS texts to premium-rate numbers until smartphone owner's account balance is depleted.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Beware the rise of polymorphic malware on Android smartphones.

That warning comes via security vendor Symantec, which said it's seeing malware-obfuscation techniques honed by PC attackers being used to develop malware that targets smartphones and tablets that run the Android mobile operating system.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection," according to a blog post from the Symantec security response team. "We are now seeing this same technique being used for malicious Android applications hosted on Russian websites."

The new malware, dubbed "Android.Opfake," is typically advertised as being a free version of some well-known Android software, available by clicking on a provided link or button. But in reality, said Symantec, the only software that then downloads is a Trojan app that's designed solely to surreptitiously "send SMS texts to premium-rate numbers," until the smartphone owner's account balance is exhausted.

[ Despite accusations that 13 ad-supported Android apps are malware, Google said Counterclank Apps To Remain In Android Market. ]

Speaking last year about mobile malware trends, Denis Maslennikov, a senior malware analyst for Kaspersky Lab, said the problem of premium-rate-dialing malware began in 2008. "Russia and the Ukraine, and other Eastern European countries, have some problems with legislation, which allows cybercriminals to rent premium rate numbers anonymously. That's why they're able to create SMS Trojans that send SMSes to premium-rate numbers," he said.

But the problem remains confined largely to those countries, he said. "In other countries, like any Western European country, or the United States, Canada, Australia, it's impossible to rent this premium-rate number anonymously."

In the case of Opfake, however, Symantec said the code now includes premium-rate numbers for not just Russia, but also Australia, Taiwan, and a number of European countries.

Interestingly, the malware developer appears to manually modify it every few days. In addition, the servers that host the malware also use three techniques for varying the attack code upon download: altering data, reordering files, and inserting fake files.

Data variation is the simplest technique, and may involve just varying one file, which would be enough to fool a signature-based virus scanner. In one file examined by Symantec, interestingly, the file that was varied "contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware." In other words, attackers are varying not fake data, but actual data that the malware relies on when launching an attack.

Another technique, meanwhile, simply reorders code and data files before creating the Android package (APK) file that gets downloaded. According to Symantec, "when the package is created, the differences in file ordering will cause different manifest and signature files to be created."

The final technique involves inserting temporary files into the APK. "We have seen upwards of 40 of these dummy files in a single package," said Symantec. "However, the number of dummy .temp files may change with each download, providing even more permutations each time the application is downloaded."

What's the best way to stop server-side polymorphic malware? While mobile antivirus scanning software can help, Symantec also recommended only downloading apps from trusted markets, and being discerning before granting any permissions to an Android app. Notably, even Android.Opfake must request permission to send SMS messages, and of course in this case that permission can--and should--be denied.

Email encryption, rights management, email gateways and full-on data loss prevention systems can keep corporate data secure. Consider the pros and cons of each to determine what's best for your business. Download our Email And Data Loss report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Apprentice
2/7/2012 | 1:46:25 AM
re: New Android Malware Has Costly Twist
This isn't too surprising that this would happen. The advice at the end is sound.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.