In The Wild: Mobile Security Observations from the Check Point Research Team

Every day, it seems, our research team encounters new ways hackers can infiltrate your mobile device. This week our mobile security observations we’ll go over some new advancements in malware targeting Android devices, as well as additional dangerous architecture flaws in the iOS environment.

Dropper Uses Steganography to Infiltrate Google Play – And Devices

Researchers have revealed a new malware campaign on Google Play embedded into more than 60 game apps. The apps are still on Google Play and, from the looks of it, there is no hard evidence that these apps were developed with a malicious intention. Notwithstanding, the apps do have dire dropping capabilities that may easily be abused by malicious actors. Technologically speaking, the dropper platform is extremely interesting.

This line of droppers uses a groundbreaking technical advancement in the mobile malware world terms. The dropper uses image embedded steganography, just as our researchers have predicted: We’ll start seeing stenographic methods being used in the wild.”

The dropper referred to is Android.Xiny.19.origin which is part of the Letang adnet SDK. Its purpose is to present advertisements on the device which might be annoying but isn’t unusual. In some cases, it does pop up advertisements outside the scope of the application, which is borderline illegitimate. However, the interesting part is that this app is capable of downloading images potentially containing a malicious apk or dex concealed by steganography. Once downloaded, the malware can execute any code the cyber criminals desire.

Unlike previous malware that used images in order to conceal themselves, this new method uses a much more complex form of steganography. In a few older malware samples we detected a simple technique which used a delimiter followed by a string in base 64, the strings were decoded by the malware into a binary. This older technique can be easily spotted even by a human eye looking at the image’s data, let alone a file type auto-detection mechanism.

The new form of steganography makes far smaller changes to the image’s binary code. It changes only the smaller bytes of certain pixels, barely changing the picture itself. This is almost undetectable even by machines. The malicious downloader must know in advance what are the changes that will be made, and decode the relevant bytes accordingly. Once decoded, a malicious apk or dex file is created.

Why is this significant?

This is a huge step up in malware stealth techniques, which will be undoubtedly copied by other cyber criminals. This makes it much harder for security vendors to detect such malware. Fortunately, advanced threat prevention solutions can detect both the initial dropper that downloads the malicious files and the communication between the malware and the C&C server as well as the steganographic data flows themselves.

Another Crack in the iOS Garden Wall

Apple implements strict security measures in order to protect the App Store. One of these measures is a thorough inspection of all apps and updates that are uploaded to the store. However, this inspection is a double-edged sword as it creates long delays in patching apps by developers.

For this reason, developers have created a workaround named JSPatch, which is built on the JavaScript Core of Apple’s framework. As it turns out, developers are using JSPatch in order to patch their apps without waiting for Apple’s inspection, thus avoiding security checkups. The problem with this workaround is that it can easily be exploited in various ways in order to distribute malware without any notice by Apple.

For more information you can read our blog post regarding the issue.

Why is this significant?

JSPatch is used by developers widely, most of which have good intentions. This, however, does not matter very much, since malicious components can be added to an app using JSPatch without the developer’s knowledge. Of course, a malicious developer could also easily utilize this tool in order to spread malware for his own cause. This is an additional flaw in the supposedly well-protected architecture of the iOS environment.

Ransomware Clickjacks You to Gain Elevated Privileges

Malwares are continuously evolving and use new tricks in order to manage to deceive users and security measures. A new variant of the known Lockdroid ransomware uses a new tactic in order to gain elevated privileges to your Android device. The malware is concealed inside a fake app. Once downloaded, it creates a fake installation process. The malware creates a UI overlay. While the user thinks he only pressed “continue” he has actually permitted the malware to gain administrator privileges. The malware then encrypts the phone’s data and demands ransom in return for the keys.

Why is this significant?

Such developments make it harder for users to notice when they are being fooled. In order to protect yourself from such threats, we advise you to stick to downloading apps from the official Google Play app store. These past weeks were full of new malware and malicious techniques, dedicated to the mobile world. This is another reminder of the need for advanced Threat Prevention solutions that are able to protect users from such elaborate threats, especially for organizations using BYOD policies.


Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.