27
Malware threats, hoaxes, and taxonoMy
ads were not easily blocked and usually required either the complete
removal of the infected application or another application to block the
ads from being pushed.
Counterclank
Counterclank was a variety of Plankton Android malware and was
also known as Apperhand SDK. is application had two major anti-
virus companies scratching their heads trying to determine whether
this was an adware or a malware. It turned out Counterclank was
an aggressive form of an ad network. It was capable of identifying
a user’s device by their IMEI. Counterclank had features like push
notication ads where it constantly exerted advertisements on the
device’s notication bar. It also had the app Icon feature, which cre-
ated a search icon on the device’s applications menu that linked to
a legitimate search engine. When users accessed the search icon,
Counterclank could also push bookmarks on the device’s browser.
SMSZombie
Appearing in Chinese third-party markets, the malware infected over
500,000 devices in the span of a few weeks. e malware worked by
sending SMS messages to China’s mobile online payment system.
NotCompatible
NotCompatible was the rst piece of mobile malware to use Web sites
as a targeted distribution method. e malware was automatically
downloaded when a user visited an infected Web site via a device’s
browser. e downloaded application used a bit of social engineering
by disguising itself as a security update to convince a user to install it.
Once successfully installed, NotCompatible was capable of providing
access to private networks by transforming an infected device into a
network proxy, which could then be used to gain access to other pro-
tected information or systems.
Bmaster
Bundled in with legitimate applications, Bmaster was rst discovered
on third-party app markets. e majority of the infected victims were
28
android Malware and analysis
Chinese users. Once installed, the malware exltrated sensitive data
from the phone, including the device id, GPS data, and IMEI num-
ber. e malware also caused users to send SMS messages to premium
numbers. e malware was part of a botnet and an analysis of its
command and control servers revealed the total number of infected
devices connected to the botnet over its entire life span ranged in the
hundreds of thousands. e number of infected devices capable of
generating revenue on any given day ranged from 10,000 to 30,000,
which was sucient enough to produce millions of dollars annually
for the botmasters as long as the infection rate was sustained.
LuckyCat
LuckyCat was the name given to a campaign of targeted attacks that
struck a group of targets including the aerospace and energy industries
in Japan and Tibetan activists. As part of the broader attack campaign,
the malware authors included Android devices. Once installed, the
Trojan displayed a black icon with the text “testService,” and opened
a backdoor on the device to exltrate information. LuckyCat was the
rst advanced persistent threat (APT) to target the Android platform.
DrSheep
DrSheep was the Android equivalent of the desktop malware tool
Firesheep. It was capable of hijacking social network accounts such as
Twitter, Facebook, and LinkedIn via a WIFI connection.
2013
GGSmart
GGSmart was a large centralized botnet found mostly in China. Its
main functionality was to send SMS messages to premium-rate num-
bers. e botnet was much more advanced than previous ones, having
the ability to change and control premium SMS numbers, content, and
aliate schemes across the entire botnet network. GGSmart also col-
lected and sent to a remote server system-specic data, and could also
download and install other malware on the device. Other functionalities
29
Malware threats, hoaxes, and taxonoMy
of GGSmart include access with read, write, and delete privileges on
the device’s SD card; ability to modify the device’s settings and system
les; and ability to execute the GingerBreak root exploit on the device.
Defender
Defender was the rst ransomware discovered for the Android OS.
Masquerading under the name Android Defender, once installed on
the phone the user had to pay $99.99 to regain access to the device. A
heavy dose of social engineering was used to acquire device admin-
istration privileges. If granted, Defender could access any area of the
device. is gave Defender the ability to restrict access to any applica-
tion, disallow placing phone calls, change system settings, remove any
and all applications, disable all user input buttons including Back and
Home, launch itself on reboot, and execute a factory reset. Surprisingly,
it did not encrypt any data on the device, which is a common tactic of
most ransomware samples. A warning message appeared on the screen
regardless of what the user was doing on the device.
Qadars
Qadars, also known as Spy-ABN, was a banking malware that worked
together with its Windows counterpart. Once a PC was infected
via a man-in-the-browser attack, the malware would instruct users
to download a bank smartphone app with supposedly built-in anti-
fraud measures to perform transactions with their bank. e malware
on the PC disallowed users access to their bank accounts until they
provided an activation code that was provided by the Android app.
e app itself intercepted SMS messages to capture the one-time use
access codes sent by banks. e Trojan was known to have targeted
Dutch, French, and Indian banks.
MisoSMS
MisoSMS was one of the largest and most sophisticated botnets ever
discovered. It was believed to have been used in at least 65 spyware cam-
paigns; it was capable of collecting and sending SMS messages to remote
servers in China. It masqueraded as a type of Android administrative
30
android Malware and analysis
task settings app called Google Vx. Once installed, it sent all SMS
messages to the attacker via SMTP to an e-mail address. e majority
of victims were based in Korea. e malware also requested adminis-
trative permission, which, if granted, was used to avoid detection by
hiding from the user. e malware contained the following copyright:
“is service is vaccine killer Copyright (c) 2013 google.org.” MisoSMS
used the following code snippet to hide from the user:
MainActivity.this.getPackageManager().setComponentEn-
abledSetting
MainActivity.this.getComponentName(), 2, 1);
MisoSMS used an embedded source object called libmisoproto.so to
carry out socket connections to the SMTP server using Java Native
Interfaces. e shared object was unique to the malware family and
thus was the basis of the malware’s name.
FakeRun
FakeRun was a malware that deceived users into raising its app rank-
ing on Google Play. It masqueraded as an advertisement module stop-
per while actually including several of its own advertisement modules.
It was one of the most widespread malicious codes in the United States
with a strong presence in other countries and did not steal a user’s per-
sonal data. It was a member of a large family of dummy applications
whose sole purpose was to display ads that earned money for the mal-
ware authors. When FakeRun appeared in the Google Play market, it
forced users to give it a ve-star rating and to share information about
the app on their Facebook accounts in order for the app to initially
execute. e only visual users ever received were annoying ads.
TechnoReaper
TechnoReaper malware consisted of two components: a downloader
masquerading as a font installer available on the Google Play Market
and a spyware app downloaded to a device. e spyware monitored
SMS, call logs, and location. is information along with other vari-
ous activities were logged through a Web portal.
31
Malware threats, hoaxes, and taxonoMy
BadNews
Originally discovered in Google Play, BadNews was repacked in
approximately 30 legitimate apps with an estimated 2 million to 9
million downloads. BadNews masqueraded as an advertising net-
work. It was one of the earliest instances of a malicious ad network
actually posing as a network. e network would download on install
malware on a device. BadNews had the following functionalities: it
would send fake news messages and system-specic data to a remote
C&C server and prompt users to install applications. BadNews used
its ad displaying capabilities to push monetization malware and pro-
mote aliated apps. BadNews also promoted the premium rate SMS
fraud malware AlphaSMS. BadNews was identied mostly in the
Russian Federation, Ukraine, Belarus, Armenia, and Kazakhstan.
e authors of this malware used it to promote their other less popu-
lar apps that also contained BadNews. At the time, there were three
identied C&C servers located in Russia, Ukraine, and Germany.
Obad
Obad, at the time of discovery, was the most sophisticated Android
malware ever discovered. Obad was a multifunctional Trojan, capa-
ble of sending SMS messages to premium rate numbers, installing
other malware on the device, distributing malware via Bluetooth, and
remote execution of root shell commands. e code was obfuscated
and all strings in the DEX le were encrypted. All external methods
are called via reection and all strings are encrypted, including class
and method names. e malware authors leveraged a discovered error
in the Dex2Jar software to disrupt the conversion of Dalvik byte code
into java byte code. is disruption complicated static analysis of the
malware. e authors also leveraged a discovered error in the Android
OS regarding the processing of the AndroidManifest.xml le. e
authors modied the xml le in a noncompliant way with Google
standards, but the XML le was still processed correctly on the device
as a result of exploiting the Android OS error. is complicated the
dynamic analysis of Obad. e authors exploited another discovered
error in the Android OS that granted Obad extended device adminis-
tration without appearing on the list of apps that had these privileges.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.