The last malware inside the Android Market, dubbed Plankton, has been discovered by the same team which discovered DroidKungFu led by Xuxian Jiang, Assistant Professor at North Carolina State University. Although the brand new malware does not root the device, it has the bad habit to hide itself inside familiar apps related to the popular game Angry Birds. The suspected apps were removed on 6/5/2011, but since the malware leverages a new evasion technique which allowed it to stay in the market for more than 2 months without being detected by current mobile anti-malware software, but being downloaed more than 100.000 times.
Plankton is included in host apps by adding a background service: when the infected app runs, it will bring up the background service which collects information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server discovered by Sophos to be hosted in the Amazon Cloud.
The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.
Once the JAR file is downloaded, Plankton uses a technique for loading additional code from non-Market websites demonstrated by Jon Oberheide about a year ago, providing a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.
The downloaded code launches another connection to the Command server and listens for commands to execute.
Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.
As a consequence the pressure on Google is building on two fronts: on one side, users are demanding better security and on the other side security vendors are asking for better operating system interfaces to make security software more effective against the ever-increasing tide of Android malware.
- Plankton malware drifts into Android Market (nakedsecurity.sophos.com)
Not even a week after the light version of DroidDream, a new nightmare rises from the Android Market to menace the dreams of glory of the Google Mobile OS (which has just confirmed his #1 Rank on the comScore April 2011 U.S. Mobile Subscriber Market Share Report).
Curiously, also the new malware, discovered by F-Secure, and dubbed Android/DroidKungFu.A, “has its roots” on DroidDream since it uses the same exploit, rageagainstthecage, to gain root privilege and install the main malware component.
Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package.
Of course, who is familiar with Android malware may easily imagine the next step of the infection: the malware is in fact capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory.
In few words, the device is turned into a member of a botnet (without realizing it we are closer and closer to Phase 4 of Mobile Malware, consult slide 9 of my presentation for the different phases of Mobile Malware).
Guess where the malware was detected first? Of course from some parallel Markets in China, at least according to some Researchers of the North Carolina University who detected two infected applications in more than eight third-party Android app stores and forums based in China. Nothing new under this sun of June. Luckily the researchers haven’t found infected apps in non-Chinese app stores… At least so far.
As previously stated DroidKungFu takes advantages of the same vulnerabilities than DroidDream, but this time the situation seems to be much worse. As a matter of fact it looks like DroidKungFu is capable of avoiding detection by security software.
The malware makes its best with Android 2.2 and earlier, but the owners of later versions of Android are not entirely safe: the security patches severely limit DroidKungFu, but the malware is still able to collect some user data and send them to a remote site.
Again, follow basic, common-sense guidelines for smartphone security in order to mitigate the risks of infection (here you may find some useful suggestions), even because Google Wallet is at the gates and I dare not even think to the aftermaths of a malware leveraging vulnerabilities on the Secure Element…
- DroidDream is Back! (paulsparrows.wordpress.com)