Android: the Perils of Popularity

Despite the long lines you see stretching from stores when a new iPhone comes out, Android phones rule. According to IDC[i], Android’s market share hovers at over 80 percent while iOS has a market share in the teens. Android’s popularity — and vulnerability to attacks — arise from Google’s decision to make Android an open OS.

Being an open OS lets many manufacturers make devices that can run Android. However this leads to OS fragmentation when several vendors each release several models over several years resulting in thousands of active versions of Android. This wouldn’t be a big deal except each version has software vulnerabilities that must be patched. At best, it can take weeks for users to receive a patch from Google, a smartphone manufacturer, or an OEM. Attackers have taken notice.

To exploit these vulnerabilities, attackers now put malware right in the Google Play app store. They do this by obfuscating the malware components of their apps to slip them past Bouncer, the tool Google uses to scan apps before allowing them to be sold through the Google Play store. Another way to get malware past Bouncer security scans is to use a dropper. A dropper attack starts with the attacker uploading an app to Google Play that doesn’t contain malware. After the victim downloads and installs the dropper app, it contacts the attacker’s server and downloads malware to the user’s device. A case in point is “Charger” ransomware for Android devices that Check Point security researchers recently analyzed. Researchers discovered Charger embedded in an app called EnergyRescue, which is available through Google Play. The infected app steals contacts and SMS messages from the user’s device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment. You can read more about Charger ransomware here.

Malware for Android is also becoming more dangerous in other ways. Check Point’s mobile research team has observed attackers putting redundant components in malware. If security disables one component, the second component keeps attacking. Other persistent threats prevent users from removing their malware by hiding the app’s icon, delaying when the malware runs, camouflaging malware to look like a legitimate app and using social engineering to get elevated privileges that stop users from uninstalling the app.

If your organization’s employees connect their Android phones and tablets to your network services like email and VPNs, an alarm should go off in your head. Make sure you have mobile security controls in place that will prevent users’ mobile phones from becoming an entryway for attacks on your organization.

Learn more about today’s changing threat landscape by downloading the 2016 Check Pont Security Report.