Revealed! The top five Android malware detected in the wild

Filed Under: Android, Featured, Malware, Mobile

Download free version of Sophos Mobile Security for AndroidThe release of a brand new version of Sophos's free anti-virus for Android (it actually does much more than just anti-virus, hence our marketroids call it Sophos Mobile Security) makes this an opportune time to update users on the Android malware landscape.

SophosLabs has examined the stats produced by installations of Sophos Mobile Security, which is now being used on Android smartphones and tablets in 118 different countries around the world - and it's making for interesting reading about which malware is being most frequently encountered on the platform.

Top 5 Android malware

1. Andr/PJApps-C. When Sophos Mobile Security for Android detects an app as Andr/PJApps-C it means that we have identified an app that has been cracked using a publicly available tool. Most commonly these are paid for apps that have been hacked. They are not necessarily always malicious, but are very likely to be illegal.

2. Andr/BBridge-A. Also known as BaseBridge, this malware uses a privilege escalation exploit to elevate its privileges and install additional malicious apps onto your Android device. It uses HTTP to communicate with a central server and leaks potentially identifiable information.

These malicious apps can send and read SMS messages, potentially costing you money. In fact, it can even scan your incoming SMS messages and automatically remove warnings that you are being charged a fee for using premium rate services it has signed you up for.

3. Andr/BatteryD-A. This "Battery Doctor" app falsely claims to save battery life on your Android device. But it actually sends potentially identifiable information to a server using HTTP, and aggressively displays adverts.

4. Andr/Generic-S. Sophos Mobile Security generically detects a variety of families of malicious apps as Andr/Generic-S. These range from privilege escalation exploits to aggressive adware such as variants of the Android Plankton malware.

5. Andr/DrSheep-A. Remember Firesheep? The desktop tool that can allow malicious hackers to hijack Twitter, Facebook and Linkedin sessions in a wireless network environment? Andr/DrSheep-A is the Android equivalent of the tool.

As I'm here writing this run-down, I might as well document some of the other most commonly-seen Android malware:

Andr/DroidRt-A is a set of privilege escalation exploits that can allow someone to to obtain root access to an Android device.

Andr/Opfake-C is a fake Opera app which may install other malicious Android packages and send SMS messages to a premium line number, depending on country.

As you can see for yourself in the following video by SophosLabs researcher Vanja Svajcer, the Andr/Opfake-C malware has been spread via Facebook in the past.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

Andr/Boxer-A. Similar in terms of functionality to Andr/Opfake-C, this malware poses as a fake installer for an Opera browser update, Skype, Anti-virus software, Instagram and many other popular apps.

Fake anti-virus on Android

Fake Instagram app

The malware may install other malicious Android packages and - predictably - send SMS messages to premium rate services numbers. It attempts to evade detection by adding a random number of images of "witness from Fryazino" therefore making the APK file binary different every few downloads.

It's quite clear that Android malware is a growing problem. If you think it's time to protect your Android smartphone or tablet against the threats, check out the free download of Sophos Mobile Security.

Thanks to SophosLabs researcher Vanja Svajcer for his assistance with this article.

, , ,

You might like

10 Responses to Revealed! The top five Android malware detected in the wild

  1. raph3ix · 1174 days ago

    What about Mania & Foncy? None of them apper much in the wild?

  2. pjb1972 · 1174 days ago

    I've been using Lookout, and have been happy with it, but am always open to alternatives that might be better at the core function of detecting malware. \have done, or are planning to benchmark against other security apps?

  3. Warren · 1174 days ago

    I looked at the Sophos app, but when I saw it wanted permission to send SMSs and access my contacts, I decided not to.

    • Some folks have asked why the app requests rights to send SMS messages and access your contacts.

      When you do a remote lock or locate, the app sends you an SMS with latitude/longitude or confirmation that the lock was successful,

      Access to contacts is required because the user specifies from which other phone numbers they might wish to remotely lock/locate their missing Android. You can choose those numbers from your contacts

      Hope that helps explain it - and well done on being cautious!

      • chris · 1171 days ago

        i haven't looked at the app entry on the play store, but if it's not there, you guys might wanna include the permissions information/explanation in the description.

        i've seen more than a few wannabe security experts downloading apps just to leave negative, nonsensical rants about permissions requirements, especially when they're not explained in the app description.

  4. That's probably one of the reasons Apple restricts what apps can be installed/executed on iOS.

    I dislike AV on desktops/laptops (which is why I don't use it) but can you imagine having to virus scan your phone? That just sounds ridiculous to me...

    • michael555x · 1173 days ago

      Not as ridiculous as you might think. Today's smart phones have the same functionality as a personal computer, and should really be treated as such. We also don't know who else is on the same public networks when connecting to whatever WiFi spot.

  5. Instead of a text based password, I use a drawing symbol based security password. Can your product accommodate this app, since it is not dependent on text characters and access is granted to the device based on the symbol drawn on the screen of a matrix containing nine dots?

  6. Chris · 1170 days ago

    i feel very comfortable knowing my phone is secure. A work colleague uses a pay as you go simcard in his phone for work use and used to moan about the cost of this pay as you go service, he later discovered

    an 'app' was responsible for using up his internet allowance in about 1 hour ! it was Sophos' anti-virus that found the culprit!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley