Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging service and leveraging it as a command and control server to carry out attacks.
A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.
The first, AndroidOS.FakeInst.a, is one of the more prevalent with more than 4,800,000 installers across 130 countries, primarily Russia and the Ukraine. According to Unuchek, the Trojan can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other, fake malicious programs.
The second, AndroidOS.Agent.ao is being peddled as a pornography app and while with only 300 installers, is substantially less popular than FakeInst., can still can use GCM to send text messages and issue notifications. Also found in Switzerland, Iran, Kenya and South Africa, Agent remains most popular in the UK, where “90% of all attempted infections were detected.”
Researchers found 1,000,000 different OpFake installers disguised mostly as games. The app sends several commands from both the GCM and its own C&C, including the following:
- Sending premium text messages to a specified number
- Sending text messages (typically with a link to itself or a different threat) to a specific number, typically to numbers on the contact list
- Performing self-updates
- Stealing text messages
- Deleting incoming text messages that meet the criteria set by the C&C
- Theft of contacts
- Replacing the C&C or GCM numbers
- Stopping or restarting its operations
Backdoor.AndroidOS.Maxit.a, a backdoor threat that disguises itself as a game, also roots its communications through a C&C that later registers information with GCM. Over 40 variants of the threat can send, delete, and redirect incoming messages, install shortcuts and open websites on its own.
Lastly, Trojan-SMS.AndroidOS.Agent.az is similar to the previously mentioned AndroidOS.Agent.ao in the sense that it models itself as a pornography application. Targeting users in Vietnam, the app can send text messages to premium numbers and connect to GCM to “receive certain messages and add them to the cell phone’s notification section.”
Google Cloud Messaging, initially launched at Google’s I/O conference in 2012, allows developers to send free, lightweight 4kb messages to Android devices. After a developer receives an ID for their applications, they can send data to any device that has the app installed. More than half of the apps available on Google Play use the service to send advertising and information to users to the tune of 17 billion messages per day.
Since the messages are sent in JSON – javascript object notation – and can contain links and commands, attackers can use them to update malware across their apps – effectively turning Google’s service into a C&C server.
Unuchek notes at the end of the research that Google has been notified of the developers in question and states that attackers are using the service shouldn’t come as a surprise.
“It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service,” Unuchek said.
While none of these Trojans are especially new – the OpFake and FakeInst families of malware have proved popular for over a year, infecting systems and sending premium SMS texts to users – it’s interesting to see another infection vector, even in its infancy.