Android malware in pictures – a blow-by-blow account of mobile scareware

Thanks to Nagy Ferenc László of SophosLabs for the
behind-the-scenes work that he put into this article.

Fake anti-virus, also suggestively known as scareware, tricks you into paying money by pretending to find threats such as viruses and Trojans on your computer.

The scan to find the “threats” is free; the cleanup part is not.

If you do pay up, the software then pretends to remove the non-existent threats so you may not even realise that you’ve been scammed, on the principle that all’s well that ends well.

But not only are you out of pocket, typically between $40 and $100, you’re also led into a false sense of security, because the clean bill of health provided after you’ve paid is as bogus as the infection report at the start.

This sort of scam is most common on Windows, with OS X a long way back in second place. But other operating systems aren’t exempt from the depredations of cybercriminals.

SophosLabs recently acquired an Android scareware sample going by the entirely hokum name of Android Defender. It’s not particularly polished, and it crashed quite a bit as we played with it, but it does show that the scammers have an active interest in the Android ecosystem.

I thought I’d give you a guided tour of what it looks like. That way, you’ll have some pointers that I hope will help you determine real from fake security software in future.

I started by creating a fresh Android 4.2.2 emulator image and firing it up.

Then I installed the malicious APK (Android Package file). In real life, you might be encouraged to download it from a handy website; I just used the Android Debug Bridge (adb) to inject it from my research computer into the emulated image.

You can see the application icon at top left, since its name conveniently starts with ‘A’.

I launched it to see what would happen. It advised me that my device “is at risk of being infected,” which is an understatement: my device is already infected, because Android Defender is on it.

I’m invited to buy, but there’s no serious pressure yet.

The inital scan quickly suggests I have a problem.

Two viruses, one Trojan and a Malware, to be precise.

You might be inclined to believe this report, since the “threats” found are Android malware names you might have heard of.

But it’s all smoke and mirrors. You don’t have to be a Java coder, or even a programmer at all, to spot in the source code below that the app is using the Math.random() function to build up a list of virus names to report later.

The malware names are field-updatable, stored in Russian and in English in an XML data file that is part of the malware’s APK file.

This is about as close to “malware identities” (also known as signatures, patterns or definitions) as you will find in the app.

There isn’t anything to help the product actually locate viruses in infected files. There’s just a list of names: when you’re choosing randomly even on uninfected devices, recognition patterns just aren’t needed.

Most of the viruses on the list are existing Android malware names, in order to add a ring of verisimilitude. But somehow the Windows-only virus Conficker managed to get in there.

The pressure on me to register the product is increasing, because it’s now time to think about cleaning up the malware.

So I gave it my best shot, and tried to “activate” the software.

The buy page wasn’t working, so I can’t tell you how much the scammers intended to charge.

But it didn’t matter, because I had an activation code up my sleeve from the source code itself.

We saw this happy-go-lucky attitude to activation in early Mac scareware.

Was the activation system this simplistic for experimental convenience, or is it just a prototyper’s indolence? We shall probably never know.

The product crashed after I clicked the Activate button, but when I started it up again, I found that the activation had worked and my device was “fully protected.”

The next system scan is no longer a scary red but a go-ahead green.

Better still, the app is pretending to have “eliminated” the malware it “detected” earlier.

In fact, the software builds a small sqlite database in which it remembers what viruses it has “found”, and whether it has fraudulently “cleaned” them, so it will be consistent in its dishonesty.

There’s a half-hearted privacy manager tool built in to the app, presumably because that’s the sort of feature that other Android security products provide.

And there’s an update page, though the crooks forgot to translate that part properly.

The update pretends to work, even listing signature files it supposedly downloaded from the internet.

(In my case, it couldn’t have downloaded anything from outside – I tested in with my device in Airplane Mode, which inhibits all outbound connections. That cuts you off in the emulator, just as it would on a real device.)

Updates are only simulated once a day, in order to appear more realistic.

The app pretends that its pattern database has increased in size every time you update. Once again, the Java pseudorandom number generator is used behind the scenes.

I don’t imagine you installed this progam, but if you did, you need to remove it right away.

And you couldn’t have installed it without first telling your device that you wanted the freedom to go looking for software outside Google’s own official Play Store.

I’d suggest, if you did so (since it ended badly enough for you to get this malware!) that you turn “Unknown sources” off once again.

And you might want to consider installing a proper Android security tool in which the detection and the cleanup are free.

Sophos Security and Antivirus is available from the Play Store, so you don’t need to enable “Unknown sources” to install it.

And yes, it does actually look for threats before it reports them.

If it finds a threat, there aren’t any demands. Just a warning and an instant “Uninstall” button.

In the words of many a Naked Security video and podcast, thanks for listening, and until next time, stay secure!