In our earlier blog post, we talked about the top 20 malware plaguing the Android platform. In this post, we will give you an insight into how each of these malware function once they gain entry into targeted devices.
The Top 20 Android Malware
• Android.FakeRun.A is designed to display ads on the infected device, to earn money for the malware author.
• The ad urges the user to give it a 5 star rating and increase its popularity.
• The Trojan also prompts the user to share information about the app on their Facebook accounts, even before it starts.
• This Trojan is mostly relevant in the US.
• Android.NickySpy.A steals information from the infected device and sends it to an external server.
• Once installed, it hides itself; it gets installed as “Android System Message”
- Records the victim’s telephone calls.
- Keeps track of the location.
- Sends SMSs to premium-rate numbers.
3. Android GingerMaster
• Android GingerMaster typically comes with fake versions of popular games.
• Once installed, the application gains admin rights.
• It sends confidential data to external servers.
• The malware can also download additional applications in the background without the user’s knowledge.
• It can give remote access of the device to the hacker.
• Android.Nyearleaker.B comes in the form a live wallpaper application that steals information.
• Once installed, the malware performs the following functions:
- Fetches information about the device’s WiFi connectivity.
- Checks for running applications in the device.
- Collects country code, Google account email address, and Android ID.
• It sends the stolen data to its own server.
• Android.Ewalls.B comes as a wallpaper application, and steals information of the infected device.
• The malware steals the following information, once the user installs it in their phone:
- SIM details
- Operator name
- Device’s serial number (IMEI – International Mobile Station Equipment Identity)
- Model and build detail
• It sends the collected data to a live server.
• Android.Obad.A is a sophisticated Android malware that gains admin privileges.
• Once it gains admin rights, it cannot be deleted manually.
• It opens a backdoor in the infected device, downloads files and steals information.
• The malware also sends SMSs to premium-rate numbers, and can allow the hacker to gain complete control of the device.
• Android.Iconosis.A steals information from infected Android devices.
• Once installed, the malware collects the phone number of the compromised device.
• Every time it is executed, it sends an SMS to the number.
• It also collects the IMEI number of the device, and sends the data to an external server.
• Android.Aplog.A is usually detected as a fake version of legitimate games; Temple Run is one of them.
• Once installed, the malware keeps track of the infected phone’s WiFi.
• The malware gathers information about the installation and uninstallation of applications in the device.
• Later it sends all such information to an external server.
• Android.FakeInst.AI can allow hackers to manipulate SMSs in the compromised Android device.
• It can be used to manipulate user location and gain access to private information.
• The malware can send manipulated SMSs to premium-rate numbers.
• The malware can read the phone state of the user.
• Android.Fakebrows.A2aab disguises itself as a legitimate app.
• It asks the user for a phone number when it runs for the first time, and stores the number in a text file.
• Every time it gets executed, it checks for the stored number. If the number is present, then it runs the phone’s default browser.
• It monitors incoming SMSs to the compromised device, and forwards the same to the number that was set when it was run for the first time.
• Exploit.Lotoor.Af is an exploit design to gain root privileges on Android devices.
• Once installed, the exploit can gain complete privilege to perform any activity on the compromised device.
• This exploit has a shell script, and this helps it in gaining admin rights.
• The exploit will work only when the device has an SD card mounted on it. If not, it simply refuses to run.
• Android.Fakelook.A5046 is a back door that hides itself from the Application List.
• Once executed, this Android malware collects the following information:
- Identity of the compromised device
- Files list from the SD card on the device
• Android.Badao.A sends a text message to a particular number, after it is installed.
• After its first launch, the application icon automatically disappears.
• Whenever the victim’s phone receives any new SMS, it is hidden or removed from the compromised device, and the original message is sent to the attacker’s server.
• Android.Fakeapp displays ads by downloading configuration files without the user’s knowledge.
• It collects the compromised device’s IMEI number and phone number.
• It sends the stolen information to an external server.
• Exploit.Zergrush.C48 attacks any vulnerability present in the targeted Android device, to gain root privileges.
• This type of application sets the property “ro.kernal.qemu” to 1 which makes the infected device run like an emulator.
• This category of application copies itself to /data/local/tmp/boomsh and change its privilege.
• It copies shell from “/system/bin/sh” to “/data/local/tmp/sh”.
• Android.Downsms.A is a Trojan horse that sends SMSs to premium-rate numbers, and even removes sent messages.
• It can write to external storage.
• The malware can open network socket.
• Android.MketPay.A is usually found repacked in legitimate applications available in many Chinese markets.
• The malware performs the following functions:
- Sends SMSs.
- Collects IMEI number and phone number of the compromised Android phone.
- Automatically places orders for buying apps without the user’s consent.
- Intercepts, blocks, and deletes incoming SMSs.
• Sends the stolen information to a remote server.
• Android.Tatus.A, once installed, keeps a track of SMSs received by the infected device.
• It keeps a record of applications installed in the device, and sends this data to a remote server.
• Android.Opfake.E is a Trojan horse that comes bundled with a legitimate version of the Opera mobile browser.
• The malware collects data such as IMEI number, operator name, phone type, OS version, and country location.
• It sends SMSs to premium-rate numbers without the victim’s knowledge.
• The malware connects to a command-and-control server to receive instructions.
• Android.Ksapp.C is repackaged from a legitimate application. This application contains configuration file.
• It steals sensitive information and sends the gathered information to a remote server.
• The malware also downloads apk files.
As mobile technology grows by leaps and bounds, cyber criminals strive to find flaws in it. And they use these flaws to hit the unsuspecting and innocent. So, instead of learning this the hard way, we always have a better option – staying updated about IT security, and employing mobile security solutions that do what they promise.
Blog Post Acknowledgement: Quick Heal Threat Research and Response Team.