Print 13 comment(s) - last by JimmiG.. on Aug 12 at 3:29 PM

Malware stops its fraud after one run to avoid raising suspicion

Some Android users have found themselves the victim of perhaps the first full-fledged Trojan to hit the system.  Our story on the trojan yesterday drew a great deal of attention, so we decided to dig into this one a bit deeper.

A reader -- Jon Oberheimer -- founder of security startup Scio Security and Ph.D candidate at the University of Michigan, writes us that he obtained the dreaded Android trojan, disassembled it, and posted an analysis in gory detail.

From his results it's readily apparent that the effort is amateurish, but slightly clever.  The program bears a great deal of similarity to the "HelloWorld" tutorial hosted by Google for aspiring developers.  It even prints a string "Hello Android from NetBeans".

When the MoviePlayer activity of the app fires up, it triggers the app's onCreate event.  This event checks an SQLite database with a single table and column to see if a string "was" was previously written.  Here comes the (
sort of) clever part -- on the malware's first run, after accomplishing its ill objectives it writes the string to the database.  That way on subsequent runs, the string is detected and the program merely exits without continuing the attack.  By doing as such, it's able to keep a low profile and its evil actions might escape notice.

Returning to the actions themselves, assuming it's the first time the app has been run, the app tries to broadcast an SMS text message to premium Russian text numbers -- "3353" and "3354" with a numeric message.  Meanwhile it displays to the user Russian text that translates to "Wait, seeking access to video library..."

What's more, as Mr. Oberheimer aptly points out, the premium texts should only go through in Russia.  U.S. users likely won't incur toll charges from the attack.  Of course similar trojans 
could be employed in the U.S. in the near future, so beware.

Also, the user has to physically download, install, and approve the permissions on the app.  This much relies on the Russian tricksters advertising the app as a "media player".  A number of people (in Russia) reportedly 
did fall for this, completing these steps.  The final step is that the users have to open (run) the application.  Again, a number of users apparently fell for this.

Basically the only mistake Google made in this case, in terms of security, was overestimating users' ability to handle their own security policies.  Most Android users are in the U.S. and China (less than 1 percent are in Russia), so fortunately in this case a minimal number of people appear to have been affected by their membership in the security-ignorant masses.

From this information, it's clear that the threat to savvy American users (or international ones) is minimal.  Just be sure not to install strange apps.  And if you suspect that an app may not be what it purports to be, notify Google and your carrier immediately, so you can be refunded in the case of malicious activity.

Android isn't the only platform to be hit by similar schemes.  Owners of jailbroken iPhones have been hit by worms in the past -- some mere pranks, others malicious.

Thanks, Jon for the email about your analysis!

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Humans are the weakest link
By JimmiG on 8/12/2010 6:59:56 AM , Rating: 5
So, to install this trojan you have to:

1. Go into Settings/Application settings and enable "Unknown sources"
1 b) Many carriers disable this option, which would mean you have to root your phone first - a complex, multi-step process on its own

2. Accept the warning that this poses a security risk

3. Open the message

4. Select the link

5. Accept another warning telling you that you're giving this application full control of SMS text messages and more

6. Run the application.

They could put in another 10 steps and warnings, and some people would still just bulldoze their way past them without reading. It's impossible to write software that is secure as long as it's operated by humans.

RE: Humans are the weakest link
By Cheesew1z69 on 8/12/2010 12:19:37 PM , Rating: 2
Root the phone? Who disables that option? I didn't need to root, it was on my phone, not enabled but it's there and I can use it anytime.

I am using a Samsung Moment.

RE: Humans are the weakest link
By erple2 on 8/12/2010 1:44:15 PM , Rating: 2
It's impossible to write software that is secure as long as it's operated by humans.

No, that's easy to do. It is, however, impossible to write secure software that a willful (intentional or not) user can change with a "Yes/No" dialog box.

RE: Humans are the weakest link
By JimmiG on 8/12/2010 3:29:06 PM , Rating: 2
Yeah, you could create a completely locked down system so instead of "Are you sure?" prompts, you simply remove all dangerous options and settings from view. But the definition of "dangerous" can be pretty broad. Should users even be allowed to modify files they've created? If you give an image editor the power to change user images, you also give it the power to remove or destroy them, for example.

Locking the system down is kind of what Apple are doing with iOS, which is great for some people but a real annoyance to others. At least the complex (in most cases) jailbreaking procedure helps protect dumb users from themselves.

Some (not all) carriers disable the option to install from unknown sources, so if you got your Android phone from a carrier on a contract, the option may not be there.

By Alexstarfire on 8/11/2010 4:52:01 PM , Rating: 2
After reading the other article about this trojan it seemed to me that there wasn't much of a point to it. Yea, it's bad, but what was the actual purpose? I couldn't figure out one. Most infections are made for the purpose of making money, but this one isn't. It doesn't make money for the makers or the users (not that any malware ever would make money for the user). This one would make money for the service providers. That just doesn't seem very useful to me.

The problem with Android is about the same problem with Windows. The real problem is between the screen and the chair. You can't fix that. As a result you either get something like Apple's implementation or Android's implementation. One keeps things rather locked down, while the other allows users to decide on what to do. It's no wonder why some people view Apple as safer.

RE: So...
By Drag0nFire on 8/11/2010 5:31:13 PM , Rating: 2
Well, I think we could more accurately say that the author of the Trojan stands to gain no money unless he works for/with the owner of the Russian text numbers "3353" and "3354"...

On the other hand, if this were in the US, I'd say it could have been a sophisticated and malicious move by the MPAA/RIAA...

RE: So...
By heffeque on 8/11/2010 5:46:12 PM , Rating: 1
No really have no idea how premium numbers work, do ya.

RE: So...
By Alexstarfire on 8/11/2010 9:01:32 PM , Rating: 2
I do not.

RE: So...
By B3an on 8/12/2010 12:08:16 AM , Rating: 1
Your post is embarrassing. They are making money from the premium numbers, obviously.
You would only have to be the person/company who makes the money from these numbers.

Malware on smartphones.....
By themaster08 on 8/12/2010 4:43:59 AM , Rating: 2
With smartphones becoming as popular as computers, it's inevitable that malware will start to find its way on these devices (that has not been hacked by the user).

I remember around 6 years ago, the first Symbian S60 virus began to appear. My friend's Nokia N-Gage got infected, and whilst the virus itself did no real damage, it was apparent it existed. It spread via bluetooth and installed without the user knowing. A simple format of the phone and memory card rid the user of the virus, but it was alarming that viruses could find their way onto our phones.

Fortunately, I've never seen another virus on the Symbian platform after many years of use (I'm not saying they don't exist, just that I've never experienced another).

The Symbian foundation has gone to many lengths to allow the platform to be as open, but as secure as possible. Every application must go through Symbian's digital signature program in order for it to work on any device.

The program is not like the App Store approval. The program only checks if the application meets certain functionality criteria, including that of security. The critera can be found here:

If you come across an app that does not have a signature, you can easily get one from the Symbian Signed website. If the app adheres to the criteria, you will receive your app with its certificate. Very simple.

I feel Google needs to implement similar/better methods in order to maintain security. Android is taking off by storm, and it's inevitable that it will be the subject of attack. If they want to remain as being an open platform, they need to get their security senses going sky high. Having said that, closed platforms are at no less of a risk, as shown by Apple, after recent revelations of being able to jailbreak by simply visiting a website, it's quite worrying.

With nothing stopping the homebrewing community, these companies need to be on their guard.

Droid Does Trojans and Malware
By sapiens74 on 8/11/10, Rating: -1
RE: Droid Does Trojans and Malware
By Gio6518 on 8/12/2010 3:26:42 AM , Rating: 2
Just like those "idiot" Windows users who don't know better, their fault eh?

no the idiots would be apple product users who believes the lies that their products dont get phones have multiple free anti-virus programs that defend them...not like iphones blind faith viewpoint....

free antivirus programs

By themaster08 on 8/12/2010 4:11:22 AM , Rating: 2
Droid Does Trojans and Malware
Just as iPhone does holes and hacking.....

and antenna flaws, dropped calls, display discolouration, "problems" with manufacturing the white iPhone 4, proximity issues, and iPhone 3G slowdowns.

Things are not so hot at Apple either.

"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki