Handheld Hacks: The Rise Of Android Malware

We oftentimes can look at the devices in our pockets and not see them for what they are, which is tiny computers. Far more advanced than anything one could have imagined a few generations ago, smartphones have changed our lives and how we interact with each other on a dramatic scale.

All computers, no matter their size nor function, will all share the same base logic and very often follow similar hardware architecture. In this sense, a smartphone could be thought about like a desktop computer on your pocket – They share nearly all the same features, though the input is quite different!

And like a desktop computer, all smartphones, no matter the make, model, or operating system, are vulnerable to malware. There is no mobile operating system that has more malware designed for it than Android. The reason? Market share.

When many businesses are trying to sell a product, they want to try to target as big a chunk of the market as possible to increase their chance of a potential sale. For example, would you rather sell to fifty people, or one hundred? Of course, you’d say one hundred – It doubles your chance of a sale when compared to the first option.

And so it is with hackers and malware developers – Android is simply the largest market. Infact, the Android market is so big that it may be the biggest market out of any product ever created.

Take the mobile market – Android makes up roughly 70% of this market. iOS takes the lions share of the rest, however about 5% of this 30% is made up of linux smartphones or those using more obscure operating systems.

This number is impressive enough – If you’re reading this online, it’s likely you live in a place in the world where 95% of the people you know own a smartphone.

But let’s compare this to the entire operating system market – Including operating systems like Windows, Mac, Linux – any type of operating system one can use on a computer of any type.

In this context, Android makes up nearly 50% of the market. That is to say, nearly half of all existing computers on the planet are Android. This number lines up with a Google conference in 2021, which stated that active Android devices are nearly at 3 billion – 1 in 2 people on the planet own an Android smartphone. 1 in 2 not may seem special in the Western World, but when you consider the multitudes who simply do not have access to smartphones, it becomes quite impressive.

With regards to the total number above – The remaining is made up of Windows at about 30%, with iOS, OSX, Linux, and others making up the last 20%.

Given these numbers, it isn’t difficult to see why the majority of mobile malware is found on Android – There is simply a larget pool of victims to catch.

Though iOS has its fair share of malware too, it really is nothing compared to Android. It is worth noting that Apple’s App Store is very tight in security regulations also, whereas Google Play often lets malware just walk in undetected. There is also the question of unofficial, non-Google sources for apps and .apk installations. Though offering a brilliant selection of applications far greater than Google Play, these so-called ‘black’ markets are often rife with malware.

Downloading apps, be it through the Play Store or unofficial channels is one of the most common attack vectors for Android malware.

It is also quite common for hackers to target operating system vulnerabilities. We often get pings on our phones requesting an update be performed – These are crucial to complete, as they patch out many security flaws being exploited by hackers.

Similar to its desktop counterpart, Android malware also commonly enters the device through phishing. Phishing, which we often associate with email, has an extra attack layer on smartphones as it can also occur through text messages, and even voicemails. These lures often lead users to fake login pages, or request a malicious app be downloaded.

Another attack vector that occurs more on mobile is non-secure WiFi. Of course, this can happen with laptops too, but is less common. Using unsecure WiFi on your mobile device can you leave you open to man-in-the-middle attacks, as well as web browser attacks.

Android malware can range from being an irritation to being destructive to our private lives. It is common to see malware that functions as adware, spamming a users phones with annoying popups. But the more serious threats including theft of banking credentials, contact details, email access, social media access, and more.

Banking Trojans are a particularly nasty piece of malware that focus in an specific banking apps on androids.

With the information collected from a device, hackers will often sell this on and leave you at risk of robocalls, more phishing texts, more ads, and more serious malware.

In this article, we’ll look at the genesis of mobile malware, some of the big android malware stories this summer, and give you advice on how to prevent your Android smartphone from becoming infected.

History of Android Malware

The smartphone was first introduced in the late 90s/early 00s, with Symbian OS. Symbian OS a joint effort by between Psion, Nokia, Ericsson, Motorola, and Sony in an effort to halt Microsoft from extending its desktop monopoly into the mobile devices market.

2000 was a big year for Symbian, with the launch of the Ericsson R380 and the Nokia 9210, which were both the first truly ‘smart’ phones.

These initial years were malware free, and the first virus wouldn’t appear until 2004. This malware was Cabir, a worm designed to infect Symbian OS.

Cabir itself wasn’t designed maliciously and was made as a proof of concept. It could infect any device running Symbian, which was all smartphones at the time.

Cabir was harmless, all it did was displaying the message ‘Caribe’ anytime the phone was turned on. As a proof-of-concept, the source code was not shared with the public.

The peace didn’t last long however – The code for Cabir was eventually stolen by hackers, who began to repurpose it for more malicious ends.

Within 12 months, there was a plaethora of Symbian malware based off Cabir. These included trojans like Pbstealer, which could steal address books and transfer them off the device using bluetooth.

In 2007 and 2008, the iPhone and first Android smartphone were released respectively, signalling the end for Symbian. Nokia, who by now had largest control of the OS, managed to cling on for a number of other years but eventually made the switch to Windows Phone OS, and scrapped Symbian. Effectively, they blew a ten year lead to Apple and Google.

Like Symbian, Android didn’t have enough of a user-based to attract many malware developers initially. This would change by August 2010 with the first Android malware appearing, a trojan named AndroidOS.DroidSMS.A. The trojan was used for SMS fraud.

Within a week, TapSnake emerged, a virus which could transmit GPS locations of infected phones.

At almost the same time, FakePlayer appeared. It masqueraded as a movie player app, and did actually carry out this function (Rather poorly, though). However, FakePlayer would covertly send SMS messages to premium numbers.

iPhone users saw few threats during this time. Individuals who jailbroke their iPhones for greater freedom were targeted, however.

Android malware rapidly became more sophisticated. Backdoors, trojans, and spyware were becoming commonplace.

NickSpy was one of the earliest spyware strains for Android, which would record phone conversations and upload them to a C&C. Later versions would do the same but with SMS infomation and photos. NickSpy was ingenius for its time, as modern Android spyware carries out these activities to this day.

2011 saw the first cross-platform attacks. Hackers behind the infamous Zeus Trojan which affected desktops used man-in-the-middle attacks against Android phones to harvest mobile authorization codes. These codes were then used to access a victims banking accounts on desktop.

Android malware continues to advance. Google has tried to stay ahead, but truthfully it is a never-ending digital arms race against legions of hackers, with new ones emerging everyday. What the future holds for Android is unclear, despite its monumental market share it is worth remembering that Symbian once held and even bigger share. What is for certain though, is that mobile malware is here to stay.

A Flurry Of Attacks On The Google Play Store

Earlier this month, it was revealed that a batch of 35 Android malware apps had made their way onto the Google Play Store. The apps have been installed over 2 million times already.

The discovery was led by researchers at Bitdefender, during a routine behavior based analysis of potential malware apps.

Using a tried and trusted method, the Android malware apps lure users into installing by offering specialized functionality. After installation, the apps change their name and icon, making them difficult to locate for most users.

These 35 apps all share similar behaviour when deployed, which is to serve intrusive advertisements to the users by abusing WebView. This generates fraudulent impressions and ad revenue for the hackers behind the apps.

Due to the fact that the Android malware collection uses their own frameworks to generate the ads, it would certainly be possible for them to drop additional malware payloads to a device.

Bitfender also noted that the apps recieve future updates to enable them to hide easier on users devices in future.

Typically, one of these apps will masuqerade as a system function. For example, it is common for the icon to change to a cog wheel and rename itself as ‘Settings’. Another common name is ‘System Processes’, and the like.

If a user is to tap the icon, the app launches with a size of 0 pixels, making it invisible. It will then launch the legitmate settings menu, in order to trick the user.

Very often the app icons will take the look of a popular manufacturer, such as Samnsung.

The apps use code obfuscation and encryption to defend themselves against reverse engineering, as well as to hide their primary payloads.

Many of the group hide themselves from the ‘Recent Apps’ list, adding an extra layer of invisibility.

The most popular apps of the group, which have 100,000 downloads each, are the following:

• Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren)
• Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour)
• Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder)
• Engine Wallpapers (gb.helectronsoftforty.comlivefour)
• Stock Wallpapers (gb.fiftysubstantiated.wallsfour)
• EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo)
• Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight)
• Fast Emoji Keyboard APK (de.eightylamocenko.editioneights)
• Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix)
• Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera)
• Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo)
• Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme)
• Animated Sticker Master 1.0 (am.asm.master)
• Sleep Sounds 1.0 (com.voice.sleep.sounds)
• Personality Charging Show 1.0 (com.charging.show)
• Image Warp Camera
• GPS Location Finder (smart.ggps.lockakt)

At the time of writing, many of these are still available on the play store. All of them are still available on non-Google stores, such as APKPure.

Hackers Quash Security Updates

In August of this year, Google released Android 13, promising a litany of new security features. One of these was a ‘Restricted Setting’ feature. However, this feature has already been bypassed by Android malware developers.

A core goal of Android 13 is to cripple Android malware, in particular those that used permissions to perform extremely destructive attacks.

Despite these efforts, researchers at Threat Fabric have found that hackers are already rolling out Android malware droppers that can bypass these restrictions, and deliver malicious payloads that can access high privileges on a users device.

As stated previously in this article, a common attack vector on Android is the Play Store. When one of these malicious apps are installed, they very often ask for high-level permission access. Giving malware access like this guarentees that the app can do as much damage as possible, especially when it allows for additional payloads to be dropped. This is normally done by abusing the Accessibility Services function.

Accessibility Service is a disability assistance system that allows apps to perform swipes, taps, and screen changes automatically. All these can be carried out without a users knowledge of what is occuring.

Android 13’s ‘Restricted Setting’ feature blocked sideloaded applications from requesting Accessibility Service privileges, which in theory should have stopped the attacks.

Researchers at ThreatFabric demonstrated that this wasn’t the case when they developed a proof-of-concept dropped that entirely bypassed the feature, and gained access to Accessibility Services. Additionally, they pointed out in their report that there were several strains of Android malware that have been doing the same.

One of these is BugDrop, named so due to the amount of bugs generated in its initial deployment.

This novel dropper features code similar to Brox, a freely distributed malware development tutorial project circulating on hacker forums, but with a modification in one string of the installer function.

“This string, which is not present in the original Brox code, corresponds to the action required by intents to create an installation process by session.” said researchers in their report.

“When fully implemented, this slight modification would circumvent Google’s new security measures fully, even before they are effectively in place.”

Though BugDrop is in its early stages, the group behind it, Hakoden, are no strangers to the Android Malware scene. The gang are behind the Gymdrop dropped as well as the Xenomorph Android banking trojan.

When BugDrop is complete (and less buggy), researchers speculate that it will be used in Xenomorph campaigns, enabling on-device credential theft on even the most recent of Android devices.

A Banking Trojan With Ransomware DNA

One of the most profilic Android banking trojans, SOVA, has added an array of new features, code improvements, and a new ransomware feature that encrypts files. The SOVA Android malware is now capable of targeting over 200 cryptocurrency exchanges and digital wallets, and attempts to steal sensitive data and cookies from them.

SOVA is also more capable of hiding itself on compromised devices.

The updates were discovered by researchers at Cleafy, who have followed the project since its genesis in mid-2021. As far as malware goes, SOVA has seen rapid updates, and is now already on 5.0. A development cycle as productive as this is rarely seen even in industry software.

3.0 saw the addition of 2FA interception, cookie stealing, and increased the amount of banks it could hack using overlay injections.

4.0 was released in July, which increase the amount of targeted banks 200, and added virtual network computing for on-device fraud.

SOVA will send a list of installed apps to the C&C, and recieves an XML with a list of addresses that point to correct overlays for the bank in question. It is also capable of taking screenshots, interacting with the screen, and copying/pasting files.

As for the new ransomware capability, SOVA uses AES encryption to encrypt files.

“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data.” said Clefy in their report.

Researchers believed SOVA 5.0 is still in development, due to a missing moduling as well as the fact it hasn’t been spotted in the wild much yet. Despite this, Cleafy still believe that SOVA 5.0 is ready for mass-deployment in the Android Malware market.

Due to its rapid developed and sophisticated features, SOVA is becoming a leader in the world of mobile malware.

Sophisticated Spyware

Earlier this year, researchers at Meta reported on a new Android malware strain known as ‘Dracarys’. At the time, Dracarys was mentioned as being capable of data theft and geolocation, as well as using microphone capabilities.

The malware has become more popular, and more details have emerged on Dracarys, revealing it to be a more than capable piece of spyware. It was developed by the Bitter hacking gang, and using in cyberespionage across New Zealand, the UK, India, and Pakistan.

Researchers at Cyble performed a deeper dive into Dracarys, which was shared with reporters at various publications.

Dracarys is delivered via a trojanized version of Signal, a popular messaging app. Victims are directed to a phishing page which appears as a legitimate Signal download portal, and uses the domain, “signalpremium[.]com”.

Signal uses open source code, and in a move displaying sophistication, Bitter compiled a version of Signal with its regular features and functions. However, Dracarys is is embedded within the modified source code.

Permissions requested upon installation include contacts, SMS, camera, access, microphone, r/w storage, make calls, and access location.

These should raise flags, but to most users this may seem quite typical for a messaging app like signal to ask.

When running, the Android malware contacts its C&C server to recieve instructions governing what data needs to be collected from the host device.

Dracarys can collect quite a bit of data, including the contact list, SMS data, files, GPS position, and more.

Like any good spyware, Dracarys can capture screenshots and record audio, relaying these files back to the C&C.

Using social engineering to impersonate legitimate apps is a extremely common, and users should be on the lookout for this kind of behaviour at all times.

Malware Trinity Hits Google Play

As mentioned previously in this article, it is common for Android Malware to make its way to the Google Play store. Though we spoke about malware that appears as intrusive ads, there can be much more serious variations found on the Play store.

Recently, researchers at Zscaler discovered three potent malware strains on the play store, namely Joker, Facestealer, and Coper.

At the time of writing, the apps containing these viruses have been removed, but those still using the apps are still affected. Furthermore, it is only a matter of time until they appear once more.

The Joker malware family is no stranger to the aisles of the play store, having repeatadly being uploaded there on numerous ocassions in the last few years. Joker is a data theif, harvesting informating from SMS messages and other sources. It subscribes numbers to premium application services to get its creators paid.

In their latest inflitration, Joker trojanized 50 apps and accounts for over 300,000 downloads.

The majority of these were communication apps, which usually ask for a number of risky permissions. This makes it easier to avoid detection.

“Many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and creates an ARM ABI executable to avoid detection by most sandboxes which are based on x86 architecture,” explains Zscaler in the report.

Facestealer, as the name applies, is adept at stealing Facebook accounts. It does this by using fake login overlays, a sting which has proven to be successful in previous attempts.

This particular virus hides in utility apps, in one example researchers found an app named “Vanilla Snap Camera” which was installed over 5000 times.

Coper is a particularly sophisticated strain, being capable of intercepting SMS, scanned SMS, deploying overlays, sending SMShing texts, and relaying this information back to a C&C.

Coper isn’t hidden directly in the app download, but is downloaded seperately as a fake program update.

Adware Nesting On Social Media

We tend to trust advertisements on websites we feel are credible, but this is a mistake. Recently, Facebook saw a number of aggressively promoted ads, which were recommending adware apps. These apps were presenting themselves as cleaners and optimizers, and have seen millions of installations.

The apps, of course, lack their promised functionality, and instead push advertisements and try to remain undetected as long as possible.

Like previously mentioned malware strains, the apps will hide themselves by changing names and icons, pretending to be Settings or even the Play Store.

The advertisements and the apps were discovered by researchers at McAfee, who noted the users don’t actually need to launch the the app to be affected with intrusive ads.

The apps will create a permanent service for displaying advertisements, which, if killed, will relaunch.

Because users are brought through both facebook and the play store, there is a high level of trust assumed. This has led to a huge number downloads, with some of the apps mentioned below:

• Junk Cleaner, cn.junk.clean.plp, 1M+ downloads
• EasyCleaner, com.easy.clean.ipz, 100K+ downloads
• Power Doctor, com.power.doctor.mnb, 500K+ downloads
• Super Clean, com.super.clean.zaz, 500K+ downloads
• Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
• Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads
• Quick Cleaner, org.qck.cle.oyo, 1M+ downloads
• Keep Clean, org.clean.sys.lunch, 1M+ downloads
• Windy Clean, in.phone.clean.www, 500K+ downloads
• Carpet Clean, og.crp.cln.zda, 100K+ downloads
• Cool Clean, syn.clean.cool.zbc, 500K+ downloads
• Strong Clean, in.memory.sys.clean, 500K+ downloads
• Meteor Clean, org.ssl.wind.clean, 100K+ downloads

Users should always be wary of ‘cleaning’ software, as they are one of the most common vessels for malware attacks on any device.

Mitigating Android Malware

It is much easier to tell if your Android has malware than if your desktop device is infected. Here are some tell-tale signs that your Android is infected

• Pop-ups, intrusive ads
• Ads on websites where they shouldn’t be any
• Increased battery drain not just due to age nor usage
• Apps you don’t recognise
• Your Android has slowed down, crashes often, or keeps displaying error messages
• New icons in your toolsbars
• Your Android won’t shut down, or restart, or allow you to remove apps
• Your browser has tabs you didn’t open
• Your contacts say they have emails from you which you didn’t send.

If you do believe your device has been infected, the first course of action should be using Play Protect. This is a security module built into all Android phones, and is accessed in the Google Play Store. Simply open the store, access the menu, select Play Protect, and choose Scan. If Play Protect identifies malware, it will ask you would you like to remove.

As you’ve seen throughout this article, Googles defenses aren’t always water-tight. As useful as Play Protect is, it fails to handle every attack.

There are several preventative steps you can take to avoid getting infected to begin with:

Using Google Play Only
Using third-party marketplaces will increase your exposure to malware. Again, there is plenty of malware on Google Play, but much less than on the black market.

Examine App Permissions
Don’t allow every app all its requested permissions. Think carefully. Does the app really need this much access? Why is it asking for so many types of access?

Stay Clear of Free Trials Or Copycat Software
Many apps offer free trials, or free versions of popular software. These are very regularly disguised malware, and are best avoided.

Keep Your Phone Updated
As stated earlier, this is critical in ensuring your phone cannot be exploited by hackers.

Be Aware of Phishing in all its forms
Keep an eye out for suspcious emails, as well as texts.

Don’t click on pop-ups
Many of these are gateways to further infections.

Disable Bluetooth In Public
Bluetooth can often be used as an access point for drive-by malware.

Use a VPN that focuses on cybersecurity
Your best course of preventative action is a VPN, especially one that focuses on cybersecurity. While many VPNs are used for things like location spoofing, here at SaferNet we have developed a mobile VPN with cybersecurity at its core. SaferNet was designed for the mobile market, and the ever increasing threats facing it.