New Android Malware Has Costly Twist

Polymorphic malware, tweaked frequently, sends SMS texts to premium-rate numbers until smartphone owner's account balance is depleted.
10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Beware the rise of polymorphic malware on Android smartphones.

That warning comes via security vendor Symantec, which said it's seeing malware-obfuscation techniques honed by PC attackers being used to develop malware that targets smartphones and tablets that run the Android mobile operating system.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection," according to a blog post from the Symantec security response team. "We are now seeing this same technique being used for malicious Android applications hosted on Russian websites."

The new malware, dubbed "Android.Opfake," is typically advertised as being a free version of some well-known Android software, available by clicking on a provided link or button. But in reality, said Symantec, the only software that then downloads is a Trojan app that's designed solely to surreptitiously "send SMS texts to premium-rate numbers," until the smartphone owner's account balance is exhausted.

[ Despite accusations that 13 ad-supported Android apps are malware, Google said Counterclank Apps To Remain In Android Market. ]

Speaking last year about mobile malware trends, Denis Maslennikov, a senior malware analyst for Kaspersky Lab, said the problem of premium-rate-dialing malware began in 2008. "Russia and the Ukraine, and other Eastern European countries, have some problems with legislation, which allows cybercriminals to rent premium rate numbers anonymously. That's why they're able to create SMS Trojans that send SMSes to premium-rate numbers," he said.

But the problem remains confined largely to those countries, he said. "In other countries, like any Western European country, or the United States, Canada, Australia, it's impossible to rent this premium-rate number anonymously."

In the case of Opfake, however, Symantec said the code now includes premium-rate numbers for not just Russia, but also Australia, Taiwan, and a number of European countries.

Interestingly, the malware developer appears to manually modify it every few days. In addition, the servers that host the malware also use three techniques for varying the attack code upon download: altering data, reordering files, and inserting fake files.

Data variation is the simplest technique, and may involve just varying one file, which would be enough to fool a signature-based virus scanner. In one file examined by Symantec, interestingly, the file that was varied "contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware." In other words, attackers are varying not fake data, but actual data that the malware relies on when launching an attack.

Another technique, meanwhile, simply reorders code and data files before creating the Android package (APK) file that gets downloaded. According to Symantec, "when the package is created, the differences in file ordering will cause different manifest and signature files to be created."

The final technique involves inserting temporary files into the APK. "We have seen upwards of 40 of these dummy files in a single package," said Symantec. "However, the number of dummy .temp files may change with each download, providing even more permutations each time the application is downloaded."

What's the best way to stop server-side polymorphic malware? While mobile antivirus scanning software can help, Symantec also recommended only downloading apps from trusted markets, and being discerning before granting any permissions to an Android app. Notably, even Android.Opfake must request permission to send SMS messages, and of course in this case that permission can--and should--be denied.

Email encryption, rights management, email gateways and full-on data loss prevention systems can keep corporate data secure. Consider the pros and cons of each to determine what's best for your business. Download our Email And Data Loss report. (Free registration required.)

Editor's Choice
James M. Connolly, Contributing Editor and Writer
Carrie Pallardy, Contributing Reporter
Roger Burkhardt, Capital Markets Chief Technology Officer, Broadridge Financial Solutions
Shane Snider, Senior Writer, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author