With the largest installed base of all operating systems, Android has certainly taken the mobile world by storm, and as the active user stats show, Android just keeps on getting bigger.
The platform has evolved to bring new form factors – televisions, smartwatches and cars spring to mind – but also new vulnerabilities and exploits.
HummingBad and Gooligan
HummingBad – the components of which are encrypted – “establishes a persistent rootkit with the objective to generate fraudulent ad revenue” for criminals.
Polkovnichenko and Koriat observed that the infection vector of HummingBad was a drive-by download attack via several adult content sites, with the intention of causing some serious harm:
“As the malware installs a rootkit on the device, it enables the attacker to cause severe damage if [they] decide to change [their] objectives, including installing a key-logger, capturing credentials and even bypassing encrypted email containers.”
Later in 2016, the Check Point team identified an advanced variant of the “Ghost Push” malware found in a version of the SnapPea backup application. Dubbed “Gooligan”, the attack campaign compromised one million Google accounts to “access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more” via authorisation token theft.
Check Point found Gooligan malware code in “dozens” of legitimate-looking apps on third-party Android app stores; a total of 86 apps available in these external marketplaces had the potential to root 74 percent of the entire Android smartphone market.
Google’s Director of Android Security Adrian Ludwig responded to concerns in a brief statement, confirming that Google was aware of the threat.
Top tips for staying safe
1. Steer clear of sideloading
Sideloading – bypassing the Play Store to install apps from external sources – can be risky business. Rather than individually screening app submissions for malicious code, Google have opted for an approach based around continuous monitoring.
As with the mixed bag of Android malware scanners and protection mechanisms, Google’s “Bouncer” can be bypassed. If downloaded outside the Play Store, it’s difficult to know whether a file ending in
.apk is truly safe – which is why “unknown sources” is switched off by default on Android.
Three days after Pokémon GO arrived in Australia and New Zealand, Proofpoint researchers identified a modified version infected with the DroidJack RAT (also known as SandroRAT), spread through third party app stores.
So, in a nutshell: steer clear of sideloaded apps and stick with Google Play, or only use vetted third-party sources like Amazon Appstore, Humble Bundle or your organisation’s internal marketplace.
2. Keep your device up to date
The platform’s user base is segmented by varying levels of release adoption – from legacy manufacturers stuck with KitKat to Google’s flagship Pixel running the newest stable build of Nougat.
Billed as “a toxic hellstew of vulnerabilities” by Apple CEO Tim Cook, fragmentation creates deeper issues that extend beyond users’ “fear of missing out” on Android’s latest and greatest features.
Early last August, the Check Point team disclosed details pertaining to “QuadRooter” – a set of four vulnerabilities affecting Android devices with Qualcomm chipsets.
Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.
As part of the official remediation strategy, Check Point remind users to download and install the latest Android updates as soon as they become available – including important security updates that help keep your device protected. Here’s how to do that:
- Visit your device’s Settings menu.
- Scroll to the bottom and select “About phone.”
- Select the “check for updates” or “system updates” option.
It’s good advice, but the bad news is that you may be one of the unlucky Android users who finds that following it results in nothing happening.
The sad truth is that purchasers of some manufacturers’ Android phones are being treated poorly – with no prospect of ever receiving security updates to defend themselves against threats.
3. Check app permissions carefully
Multiple permission models exist across the Android platform, meaning that malicious actors may target specific device classes when exfiltrating data to endpoints and shady ad networks. Before installing a new app, check the permissions requested, and be especially wary of those tagged with “this may cost you money” or with unnecessary requirements that may violate your privacy.
The Proofpoint research team allude to this point in its analysis of the infected Pokémon GO app:
Another simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings → Apps → Pokemon GO and then scrolling down to the Permissions section.
4. Read up on reviews and developer profiles
Be careful though – malicious hackers often create fake versions of popular apps, fabricating a stream of overly positive reviews to drown out users’ complaints. Sift through the haphazard array of spam to identify legitimate comments, and be sure to flag suspicious apps or comments to the Google Play store team.
Looking to another case which surfaced in August 2016: fake builds of the Prisma photography app placed up to 1.5 million users at risk of unwanted advertisements and data theft, as David Bisson reports.
Similar to the Pokémon GO DroidJack infection, David remarks that “malicious developers couldn’t resist” creating fake Prisma applications, with research from ESET indicating the emergence of several Trojan-laced versions.
Some people swear by running some type of anti-virus product on their Android device, while others shudder at the idea – claiming that it will be too hungry on system resources, and isn’t worth it.
We think you should decide for yourself.
There are plenty of well-known security firms out there who have produced Android versions of their products – with some of them free for use by consumers. See how you get on and whether you can live with it.
Chances are, especially in an ecosystem where it can be hard to rely upon Android security patches from your phone’s manufacturer, that some form of anti-virus might provide an additional layer of protection.
But you should try it for yourself, trying out different security products, and see if you can live with one of them.
Stay up to date on the latest developments by keeping a close eye on our latest coverage on Android-related security issues.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.