What Android threats look like

I’ve been doing some reading recently on Android threats, specifically some stuff by Eric Chien, Technical Directory of Security Technology and Response at Symantec.  Anything you read here is not stuff I’ve come up with myself, but rather, based upon the research of others – primarily Chien.

In today’s mobile market,  Android is the most popular platform for malware.  Why?  There are three factors:

1. It’s popular (Gartner estimates 50% of the smartphone market and 300 million devices in 2012), and

2. It’s open (i.e., anyone can write an application for it), and

3. It’s monetizeable (attackers are able to make $1 million per year).

Where are all these apps coming from?  Doesn’t Google review them?  Apple reviews all apps in its app store, but Google does not.  And you can buy Android apps from places other than the Android Marketplace.  78% of Maldroids (I invented that term just now) are hosted on 3^rd party sites primarily in China (there is no Android Marketplace in China so many Maldroids target Chinese users), 38% are hosted on Android Marketplace and 3^rd party sites, while 1% are hosted exclusively on the Android Marketplace.

Malicious code is hidden inside legitimate applications.  Since Android apps are written in Java, it’s possible to reverse engineer the code and replace some of it.  For example, a malware author would download Angry Birds, change some of ads to serve ads whose revenue goes to a spammer and then upload the app, calling it Angrier Birds FREE! with a similar logo.  A lot of users would be tricked by the following:

The common types of Maldroids today are ones that:

1. Send high volume SMS messages,

2. Perform pay-per-click/use/view such as doing pay-per-click video, (

3. Repackage applications but change it such that the money for ads goes to the attacker instead of the original author (e.g., Monkeyball is only for Nokia but a malware author “ported” it to Android), and

4. Intercept credentials where the malware will intercept passcodes for two factor authentication such as a code sent to a cell phone.  This is more popular in Europe than it is in North America.

However, Android malware is still in its infancy which means that most malware is not sophisticated.  At the most, the code is obfuscated using Proguard, some strings are encrypted and malicious functionality is downloaded post-install.  But for the most part, the malware is not very advanced compared to a lot of stuff on the PC platform (this meshes with what I learned about many APTs at the Virus Bulletin Conference in 2011 – many attacks are not very technically sophisticated).

Compared to advanced malware on the PC platform, Maldroids are small potatoes… for now.

In the future, the likely increase in Android threats will be in increase in unvetted 3^rd party marketplaces, and an increase in mobile devices for financial transactions.  We have seen Zitmo attacks (Zeus in the middle) and as usage increases, so will these attacks.

In my next post, I’ll look at what Google is doing to combat these threats.