Android malware trends
Could it be that 2011 is the year when the long-standing predictions about the rise of mobile malware come true? Symantec’s Irfan Asrar thinks that there are definite indicators that it might be so.
Of course, 2011 isn’t over yet – far from it. But, the evidence is there that the creators of mobile threats are getting increasingly bolder in their efforts and are good at thinking outside the box. “We are seeing increasing attempts to complicate the infection vectors of mobile malware to the point where a simple uninstall is insufficient,” he says.
When it comes to threats targeting Android users and devices, a common strategy employed by the malware developers is the separation of the malicious package into staged payloads – first comes the relatively innocuous code, which is then followed by additional malicious modules.
This way of operating presents many advantages: application permission lists that are less likely to make the user suspicious and the comparative easiness of hiding and injecting into other apps smaller pieces of code. “Furthermore, dispersing the attack across separate apps complicates the integrated revocation processes from the service provider, marketplace, etc,” points out Asrar.
Also, the additional components that the already present threats can download at a later time can often use official channels of distribution as well as Internet/direct downloads.
Another strategy that is geared towards making the download of further payloads easier and not dependent on user confirmation is the signing of the initial payload with an AOSP (Android Open Source Project) certificate. This way, all future downloads by the payload are treated as updates and don’t require the approval of the user in order to get downloaded.
“Another interesting trend that Symantec has observed is the use of in-app features that facilitate the promotion and/or download of other apps,” shares Asrar. “In some cases, we have seen this implemented as full-fledged browsing access to another third-party app store that has been embedded as undocumented functionality of the original app that the user has downloaded from the official marketplace—without any indication that the victim is downloading browsing apps from another website or store.”
This approach still requires users to approve the installation of apps, but raises the probability of them doing so since they already trust the initial app and are likely not to be aware from where the additional app is downloaded.