Android Malware uses Google Cloud Messaging; infected over 5 Million Devices

Android Malware using Google Cloud Messaging Service infected over 5 Million Devices

The Kaspersky Lab researchers recently have discovered a  number of Android malware apps are abusing the Google  Cloud Messaging Service (GCM) as  Command and Control server. The GCM  service allows Android  app developers to send messages using JSON  Format for installed apps, but hackers exploited it for malicious  Purposes.
Using Google Cloud Messaging Service (GCM) as Command and Control server  for Android Malware is not a new concept, as last year Security researcher and  Hacker ‘Mohit Kumar‘ demonstrated ‘Android Malware Engine‘ – One of the Most  Sophisticated Android  malware during Malcon conference.

The Kaspersky Lab researchers have detected at  least five  Different Android Trojans that used JSON format:

  1. 1. SMS.AndroidOS.FakeInst.a
  2. 2.
  3. 3. SMS.AndroidOS.OpFake.a
  4. 4. Backdoor.AndroidOS.Maxit.a
  5. 5.
The authors of the malware in  Every case took advantage of Google Cloud Messaging Service  to  Exchange  messages between C&C  services and the malicious app. Once  Gained a Google Cloud Messaging  Service (GCM) ID, malware updates are distributed exploiting directly the Google  cloud services and also any  Command to the malicious agent is sent is  exploiting the service and using  JSON format.

Android Malware using Google Cloud Messaging Service

Google Cloud Messaging Service (GCM) act as Command  and Control server for the Trojans, which makes the malware updates as the  official  Updates via Google.

Furthermore,  The execution of commands  received from the Google Cloud Messaging Service  GCM is performed by the GCM  system and it is impossible to block them  Directly on an infected device. The  only way to cut this channel off  From virus writers is to block developer  accounts with IDs linked to the  Registration of malicious  programs.
SMS.AndroidOS.FakeInst.a  Is the most diffused  agent, according Kaspersky experts more than  4,800,000 installers have been  detected and around 160000 attempted  Installation was blocked in  2012.
It  Can send text messages to premium  numbers, delete incoming text  Messages, generate shortcuts to malicious sites,  and display  Notifications advertising other malicious programs that are spread  under  The guise of useful applications or games” states the Kaspersky blog Post.  is presented as  a porn app and has the primary intent to send messages  to premium numbers,  meanwhile the SMS.AndroidOS.OpFake.a malware is the typical SMS malicious  application of which have been detected also more than 1 million installers.

This last malware is also able to steal  Sensitive  information from the victim’s handset such as  contacts and it is also able to  self-update its code, the agent appeared very active  And was detected in 97  different countries, the majority in Russia and  Eastern countries.
The  Kaspersky team has blocked more than 60,000  Attempted installs, it sends  several commands from both the GCM and its  Own C&C servers such as:

  • Sending premium text messages to a specified number
  • Sending text messages
  • Performing self-updates
  • Stealing text messages
  • Deleting incoming text messages that meet the criteria set by the  C&C
  • Theft of contacts
  • Replacing the C&C or GCM numbers
  • Stopping or restarting its operations
Backdoor.AndroidOS.Maxit trojan  was very dated, first instance was detected in late 2011 and  Appears to be  continuously updated, today the experts counted more than  40 different variants  most often in Malaysia, Thailand, the Philippines  And Burma.
All of  These modifications are very  similar to one another,” “the app opens  Websites with games, while  malicious operations are executed in the  Background.” It has been found  most often in Malaysia, but also in  Thailand, the Philippines and Burma.
The  The first thing the backdoor sets out  to do is collect information about  The phone and the SIM card, including the  phone number and the mobile  Provider. All of this data is uploaded to the  C&C. This is the server that manages all of the  Trojan’s primaries  Functions.
The  Last trojan,, was detected for the first time in  May 2012 and  is a shell app for a Vietnamese porn website which is able  Also to send text  messages to a premium number.
The number of malware that exploits the Google  Cloud Messaging Service is  Destined to increase despite it is still relatively  low, the data on  Their diffusion demonstrated it. These malware are prevalent  in Western  Europe, the CIS, and Asia, virus writers know very well that  execution  Off commands received from GCM is performed by the Google Cloud  Messaging  Service system and it is impossible to block them directly on an   Infected device.
Actually  The only option for security experts  is to block developer accounts  With IDs linked to the registration of malicious  applications.


Retrieved from The Hacker News