The Top 20 Android Malware – How they work

1. Android.FakeRun.A

• Android.FakeRun.A is designed to display ads on the infected device, to earn money for the malware author.
• The ad urges the user to give it a 5 star rating and increase its popularity.
• The Trojan also prompts the user to share information about the app on their Facebook accounts, even before it starts.
• This Trojan is mostly relevant in the US.

2. Android.NickySpy.A

• Android.NickySpy.A steals information from the infected device and sends it to an external server.
• Once installed, it hides itself; it gets installed as “Android System Message”
The malware:

• Records the victim’s telephone calls.
• Keeps track of the location.
• Sends SMSs to premium-rate numbers.

3. Android GingerMaster

• Android GingerMaster typically comes with fake versions of popular games.
• Once installed, the application gains admin rights.
• It sends confidential data to external servers.
• The malware can also download additional applications in the background without the user’s knowledge.
• It can give remote access of the device to the hacker.

4. Android.Nyearleaker.B

• Android.Nyearleaker.B comes in the form a live wallpaper application that steals information.
• Once installed, the malware performs the following functions:

• Fetches information about the device’s WiFi connectivity.
• Checks for running applications in the device.
• Collects country code, Google account email address, and Android ID.

• It sends the stolen data to its own server.

5. Android.Ewalls.B

• Android.Ewalls.B comes as a wallpaper application, and steals information of the infected device.
• The malware steals the following information, once the user installs it in their phone:

• SIM details
• Operator name
• Device’s serial number (IMEI – International Mobile Station Equipment Identity)
• Model and build detail

• It sends the collected data to a live server.

6. Android.Obad.A

• Android.Obad.A is a sophisticated Android malware that gains admin privileges.
• Once it gains admin rights, it cannot be deleted manually.
• It opens a backdoor in the infected device, downloads files and steals information.
• The malware also sends SMSs to premium-rate numbers, and can allow the hacker to gain complete control of the device.

7. Android.Iconosis.A

• Android.Iconosis.A steals information from infected Android devices.
• Once installed, the malware collects the phone number of the compromised device.
• Every time it is executed, it sends an SMS to the number.
• It also collects the IMEI number of the device, and sends the data to an external server.

8. Android.Aplog.A

• Android.Aplog.A is usually detected as a fake version of legitimate games; Temple Run is one of them.
• Once installed, the malware keeps track of the infected phone’s WiFi.
• The malware gathers information about the installation and uninstallation of applications in the device.
• Later it sends all such information to an external server.

9. Android.FakeInst.AI

• Android.FakeInst.AI can allow hackers to manipulate SMSs in the compromised Android device.
• It can be used to manipulate user location and gain access to private information.
• The malware can send manipulated SMSs to premium-rate numbers.
• The malware can read the phone state of the user.

10. Android.Fakebrows.A2aab

• Android.Fakebrows.A2aab disguises itself as a legitimate app.
• It asks the user for a phone number when it runs for the first time, and stores the number in a text file.
• Every time it gets executed, it checks for the stored number. If the number is present, then it runs the phone’s default browser.
• It monitors incoming SMSs to the compromised device, and forwards the same to the number that was set when it was run for the first time.

11. Exploit.Lotoor.Af

• Exploit.Lotoor.Af is an exploit design to gain root privileges on Android devices.
• Once installed, the exploit can gain complete privilege to perform any activity on the compromised device.
• This exploit has a shell script, and this helps it in gaining admin rights.
• The exploit will work only when the device has an SD card mounted on it. If not, it simply refuses to run.

12. Android.Fakelook.A5046

• Android.Fakelook.A5046 is a back door that hides itself from the Application List.
• Once executed, this Android malware collects the following information:

• Identity of the compromised device
• SMSs
• Files list from the SD card on the device

13. Android.Badao.A

• Android.Badao.A sends a text message to a particular number, after it is installed.
• After its first launch, the application icon automatically disappears.
• Whenever the victim’s phone receives any new SMS, it is hidden or removed from the compromised device, and the original message is sent to the attacker’s server.

14. Android.Fakeapp

• Android.Fakeapp displays ads by downloading configuration files without the user’s knowledge.
• It collects the compromised device’s IMEI number and phone number.
• It sends the stolen information to an external server.

15. Exploit.Zergrush.C48

• Exploit.Zergrush.C48 attacks any vulnerability present in the targeted Android device, to gain root privileges.
• This type of application sets the property “ro.kernal.qemu” to 1 which makes the infected device run like an emulator.
• This category of application copies itself to /data/local/tmp/boomsh and change its privilege.
• It copies shell from “/system/bin/sh” to “/data/local/tmp/sh”.

16. Android.Downsms.A

• Android.Downsms.A is a Trojan horse that sends SMSs to premium-rate numbers, and even removes sent messages.
• It can write to external storage.
• The malware can open network socket.

17. Android.MketPay.A

• Android.MketPay.A is usually found repacked in legitimate applications available in many Chinese markets.
• The malware performs the following functions:

• Sends SMSs.
• Collects IMEI number and phone number of the compromised Android phone.
• Automatically places orders for buying apps without the user’s consent.
• Intercepts, blocks, and deletes incoming SMSs.

• Sends the stolen information to a remote server.

18. Android.Tatus.A

• Android.Tatus.A, once installed, keeps a track of SMSs received by the infected device.
• It keeps a record of applications installed in the device, and sends this data to a remote server.

19. Android.Opfake.E

• Android.Opfake.E is a Trojan horse that comes bundled with a legitimate version of the Opera mobile browser.
• The malware collects data such as IMEI number, operator name, phone type, OS version, and country location.
• It sends SMSs to premium-rate numbers without the victim’s knowledge.
• The malware connects to a command-and-control server to receive instructions.

20. Android.Ksapp.C

• Android.Ksapp.C is repackaged from a legitimate application. This application contains configuration file.
• It steals sensitive information and sends the gathered information to a remote server.
• The malware also downloads apk files.