Android malware in pictures - a blow-by-blow account of mobile scareware

Filed Under: Android, Fake anti-virus, Featured, Google, Malware

Thanks to Nagy Ferenc László of SophosLabs for the
behind-the-scenes work that he put into this article.

Fake anti-virus, also suggestively known as scareware, tricks you into paying money by pretending to find threats such as viruses and Trojans on your computer.

The scan to find the "threats" is free; the cleanup part is not.

If you do pay up, the software then pretends to remove the non-existent threats so you may not even realise that you've been scammed, on the principle that all's well that ends well.

But not only are you out of pocket, typically between $40 and $100, you're also led into a false sense of security, because the clean bill of health provided after you've paid is as bogus as the infection report at the start.

This sort of scam is most common on Windows, with OS X a long way back in second place. But other operating systems aren't exempt from the depredations of cybercriminals.

SophosLabs recently acquired an Android scareware sample going by the entirely hokum name of Android Defender. It's not particularly polished, and it crashed quite a bit as we played with it, but it does show that the scammers have an active interest in the Android ecosystem.

I thought I'd give you a guided tour of what it looks like. That way, you'll have some pointers that I hope will help you determine real from fake security software in future.

I started by creating a fresh Android 4.2.2 emulator image and firing it up.

Then I installed the malicious APK (Android Package file). In real life, you might be encouraged to download it from a handy website; I just used the Android Debug Bridge (adb) to inject it from my research computer into the emulated image.

You can see the application icon at top left, since its name conveniently starts with 'A'.

I launched it to see what would happen. It advised me that my device "is at risk of being infected," which is an understatement: my device is already infected, because Android Defender is on it.

I'm invited to buy, but there's no serious pressure yet.

The inital scan quickly suggests I have a problem.

Two viruses, one Trojan and a Malware, to be precise.

You might be inclined to believe this report, since the "threats" found are Android malware names you might have heard of.

But it's all smoke and mirrors. You don't have to be a Java coder, or even a programmer at all, to spot in the source code below that the app is using the Math.random() function to build up a list of virus names to report later.

The malware names are field-updatable, stored in Russian and in English in an XML data file that is part of the malware's APK file.

This is about as close to "malware identities" (also known as signatures, patterns or definitions) as you will find in the app.

There isn't anything to help the product actually locate viruses in infected files. There's just a list of names: when you're choosing randomly even on uninfected devices, recognition patterns just aren't needed.

Most of the viruses on the list are existing Android malware names, in order to add a ring of verisimilitude. But somehow the Windows-only virus Conficker managed to get in there.

The pressure on me to register the product is increasing, because it's now time to think about cleaning up the malware.

So I gave it my best shot, and tried to "activate" the software.

The buy page wasn't working, so I can't tell you how much the scammers intended to charge.

But it didn't matter, because I had an activation code up my sleeve from the source code itself.

We saw this happy-go-lucky attitude to activation in early Mac scareware.

Was the activation system this simplistic for experimental convenience, or is it just a prototyper's indolence? We shall probably never know.

The product crashed after I clicked the Activate button, but when I started it up again, I found that the activation had worked and my device was "fully protected."

The next system scan is no longer a scary red but a go-ahead green.

Better still, the app is pretending to have "eliminated" the malware it "detected" earlier.

In fact, the software builds a small sqlite database in which it remembers what viruses it has "found", and whether it has fraudulently "cleaned" them, so it will be consistent in its dishonesty.

There's a half-hearted privacy manager tool built in to the app, presumably because that's the sort of feature that other Android security products provide.

And there's an update page, though the crooks forgot to translate that part properly.

The update pretends to work, even listing signature files it supposedly downloaded from the internet.

(In my case, it couldn't have downloaded anything from outside - I tested in with my device in Airplane Mode, which inhibits all outbound connections. That cuts you off in the emulator, just as it would on a real device.)

Updates are only simulated once a day, in order to appear more realistic.

The app pretends that its pattern database has increased in size every time you update. Once again, the Java pseudorandom number generator is used behind the scenes.

I don't imagine you installed this progam, but if you did, you need to remove it right away.

And you couldn't have installed it without first telling your device that you wanted the freedom to go looking for software outside Google's own official Play Store.

I'd suggest, if you did so (since it ended badly enough for you to get this malware!) that you turn "Unknown sources" off once again.

And you might want to consider installing a proper Android security tool in which the detection and the cleanup are free.

Sophos Security and Antivirus is available from the Play Store, so you don't need to enable "Unknown sources" to install it.

And yes, it does actually look for threats before it reports them.

If it finds a threat, there aren't any demands. Just a warning and an instant "Uninstall" button.

In the words of many a Naked Security video and podcast, thanks for listening, and until next time, stay secure!

, , , , , , ,

You might like

6 Responses to Android malware in pictures - a blow-by-blow account of mobile scareware

  1. Steve Baker · 509 days ago

    I just wanted to say a huge thanks to all of you at Sophos for producing quiet, efficient, and especially in the case of my new Galaxy S4, really cool protection software (love the SMS controls!)

    Especially impressive to me is that you don't charge for the Mac OS and mobile utilities - which demonstrates a strong position and a positive attitude towards protection.

    As well, I'd like to thank you for taking the time to produce these informative posts on Facebook - they're pretty much the only thing I spend time reading (once I manage to filter through the tidal waves of cat pictures!), and I have made good use of the knowledge you are sharing.

    Great work.

  2. Laurence Marks · 509 days ago

    Any comments on the overhead of Sophos Security and AntiVirus for Android? My office desktop runs the product of your big name competitors, providing firewall and anti-virus functions. It consumes A good chunk of HDD space (hard to tell how much since it scatters files all over), consumes much of my 100 Mbps Ethernet connection continuously, and takes my system to its knees for 10-15 minutes once or twice a day. A series of non-uniformly named and filed programs (making it harder to identify their origin) consumes cycles and connectivity.

    I don't want to do the same thing with my Android phone. Not interested in halving my battery life, slowing my performance, or consuming my download quota. Is this product optimized for space, performance, and bandwidth?

    • Paul Ducklin · 509 days ago

      You'll have to try it and see...I can only wave my hands and say, "Sure, it's lean and mean" :-)

      Having said that:

      * It doesn't scan all file accesses all the time, like a desktop anti-virus, because Android doesn't permit that (at least in any standard way). So by default it only kicks in with an on-access scan when you install a new item of software, and it only uses your internet connection to do a lookup in the "Sophos cloud" for the latest threat intelligence. When you're installing something new, the installation itself will dominate hugely in respect of cycles, "disk" space and network.

      * You can configure the cloud lookups so they only happen on your home network, or even only when you're on Wi-Fi. I like to be very parsimonious with my 3G connection and I haven't got any complaints about how much bandwidth Sophos uses.

      (Current app bandwidth use lists from my phone for the last week on 3G, which I use about 97% of the time: Sophos is at the very bottom of the list.)

      * You don't need to do background on-demand scans unless you want to, in which case it won't use any battery at all, as far as I know.

      To be honest, I keep forgetting it's there, until I install something new (or update existing apps) and see a "comfort message" to say that the new APK was just scanned and found clean.

      I don't think you'll get any surprises. And it has privacy and security advisors that are super easy to use, and much handier than you might at first think. (I accidentally enabled NFC the other day. Didn't notice. Sophos did, and quickly took me to fix it.)

  3. Given the sandbox nature of the Android architecture, how much can a (non-root) malware scanner actually detect about other applications beyond their name, permissions granted and other generic properties? While "scanning" per se seems tricky to achieve, other features in the Sophos app do look like handy things to draw together into a clear interface for the non-expert user.

    Google's Chris DiBona had a bit of a rant a couple of years back about AV companies with products for mobile - be interested to hear your take on it.

    • Paul Ducklin · 509 days ago

      As I mentioned above, a general-purpose runtime monitor is tricky, but an "at install time" pre-flight check *is* possible, and Sophos for Android does just that.

      Since you get read access to the APK, you can (and we do) work on the actual stuff being installed, not just name, permissions and other generic properties.

      So it's not just "scanning," it's *scanning*, if my puntuation marks convey the pronunciational differences I mean to imply :-)

      As for DiBona's "scammers and charlatans," you can hear us discuss it in some details in the Chet Chat 77 podcast:

      nakedsecurity.sophos.com/sscc-77

      Of course, Google has a rudimentary virus checker in Android now...guess the Google techies didn't ask Mr DiBona what he thought. Or they asked him and then utterly ignored his rant :-)

  4. Does Android have drive-by malware installations?

    I thought most Android malware can be negated by simply uninstalling them. Unlike Windows malware, the user doesn't have to go hunt for other files to delete.

    Also, I remember that a flashlight tool I installed changed the default start page of stock browser. Does Sophos clean up such changes?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog