In The Wild: Malware in Google Play is as Prevalent and Pesky as Ever

Not a week passes without new malware found on Google Play and this week was no different. Among the malware found are both new and old samples, including a known malicious banker and a new type of malware making its first appearance on Google Play. Also, Google has patched more vulnerabilities, which is no coincidence since we’ve come to expect frequent security patches and malware discoveries because of the frail security Android provides.

Using Wi-Fi to Hack Into Your Device

Among the various security patches recently released by Google, one, in particular, catches the eye. The vulnerability allowed attackers to elevate privileges or even to target a device with a Denial-of-Service attack. The vulnerability was discovered in the Wi-Fi Protected Access (WPA) supplicant, which is responsible for authenticating Wi-Fi connections. A malicious app installed on the device could exploit the vulnerability and write arbitrary code in a higher privilege context, allowing it to disable the device’s Wi-Fi adapter and take control of the device.

Webinar: How to Keep Mobile Threats at Bay

Enabling and Securing iOS and Android in the Enterprise

Securing today’s powerful mobile devices and the data on them is critical for the enterprise, but more than half of decision makers in a recent IDC survey had security and compliance issues during mobility rollouts. Join guest presenter Rob Westervelt, research manager for security products at IDC and Michael Shaulov, head of mobility at Check Point to learn why it’s more important than ever to have security for iOS and Android that provides continuous mobile protection for apps, networks, and operating systems.

> Register for Americas Session

> Register for Europe Session

This is only one example of such vulnerabilities attackers can use to target devices. Though this flaw was discovered in February, Google only now released a patch and it could take even longer for users to receive and implement this patch.

Inviting the Big Bad Wolf Inside

Acecard is a known Android banker Trojan which targeted many users in the past. However, this did not stop it from successfully infiltrating Google Play. The malware achieved this using a dropper called “Black Jack Free.” Droppers are a known tactic used by malware developers to bypass Google’s security measures. The seemingly benign app does not contain any malicious code, but once installed on a device it downloads a second app which contains the actual malware. This app then displays fake bank overlays to steal a users’ credentials.

This case proves again how easily malware writers can circumvent Google’s security methods to target users directly through Google Play.

Meet the Vikings

The Check Point research team uncovered a new Android malware campaign on Google Play called Viking Horde. Viking Horde conducts ad fraud, but can also be used for other attack purposes like DDoS attacks, spam messages, and more. Viking Horde managed to bypass Google Play malware scans and masqueraded as five different apps.

Viking Horde creates a botnet that proxies IP addresses to disguise ad clicks, thereby generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots are used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.

This is a new capability in the mobile attack arsenal. Up until now, we have only seen clickers which conduct silent clicks from the device itself. This new capability holds a much larger potential for attackers who can use it for various malicious implementations. No doubt this will not be the last we hear of this type of malware.

Annoying the User Into Submission

A new banker malware found an interesting way to persuade users into granting it admin permissions. The malware, called Banker-IR, adds three icons to the user’s screen on installation. If the user launches one of them, the malware bombards the user with popups asking for admin privileges. The user cannot get rid of these popups unless he resets the device to factory settings.

For users who are not so technical, the simpler option is to grant the permissions. If that happens, the malware uses the same tactic to persuade the user into making it the default SMS app. Once this happens, the malware connects to its C&C servers and steals the user’s credit card details by initiating yet another popup form.

Another interesting feature of this malware is its anti-emulation techniques. Once the malware is installed, and before beginning any malicious activity, it performs a series of checkups to make sure it is not running in an emulator. This technique shows how attackers adapt and can take steps to ensure simple dynamic analysis engines do not easily detect their payloads.

The various malware and vulnerabilities discussed above all point to a simple conclusion: Users are very far from being safe, and to adequately protect themselves, they should implement comprehensive security solutions and not just rely on official app stores to keep them safe.

Learn more:
Check Point Mobile Threat Prevention

See it in action:
Schedule a demo of Mobile Threat Prevention

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.