3 min read

Beware Angry Birds Help Offers: Malware in Disguise

Google removes more malware from Android market after university researchers identified background spy apps--including one that used Angry Birds frustration as bait.
Xuxian Jiang, an assistant professor in computer science at North Carolina State University, last week found 10 applications infected with malware in the Android Market. On June 5, he reported it to Google, which suspended the applications on the same day. Jiang also contacted mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, CA, SmrtGuard, Juniper, Kinetoo, Fortinet, and others.

What is this latest threat?

In a blog post published last week, Jiang explained that this new malware, which his team named "Plankton" (after the pesky Spongebob character?) doesn't attempt to root Android phones. Rather, it was designed to run in the background secretly.

"Plankton is the first one that we are aware of that exploits Dalvik-class loading capability to stay stealthy and dynamically extend its own functionality," wrote Jiang. "Its stealthy design also explains why some earlier variants have been there for more than two months without being detected by current mobile anti-virus software."

This particular piece of malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game (Angry Birds itself was not infected).

What does it do? Once the malware is fired up by the users, it loads a background service. That background service application scours the device for user data, including the device ID code, and reports it back to a remote server. The server parses the data and then sends a link back to the malware, which downloads an executable and then runs nearly invisible in the background.

The application then starts collecting more data, such as browser bookmarks, browser history, home page shortcuts, and runtime log information.

Jiang's team also found some pretty scary stuff. "During our investigation," he explained, "we also identified an interesting function that if invoked can be used to collect user's accounts. Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user's accounts or even launching root exploits into reality."

Considering the type of accounts people access from their smartphones these days--business servers, email, social networking, banking, etc.--this is cause for real concern.

Google has removed the infected applications. Just two weeks ago, Google suspended 26 applications. In March, Google removed 50 poisonous apps from the Android Market.

Why is the Android Market facing these issues when Apple's App Store seemingly isn't? The Android Market is appealing to the nefarious for all the right reasons. It is open (Google doesn't curate it), it is everywhere (on millions of smartphones), and it is monetizable (can be used to charge user accounts and steal real money). Norton sees the problem growing before going away.

For IT, the challenge will be to manage employee devices effectively against new threats as they arise.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)