Cybercriminals thinking outside of the box on Android

According to Irfan Asrar of the IT security vendor's Tokyo operation, the last few years have been a period when mobile malware has been the norm.

But, he says, if the criteria to qualify 2011 as the real "year of mobile malware" were to be challenged, then surely the events of the past few weeks alone should be enough to show that the mobile threat landscape has changed significantly.

Citing research from Symantec, Asrar says that the message is coming through loud and clear is that the creators of these threats are getting more strategic and bolder in their efforts.

"We are seeing increasing attempts to complicate the infection vectors of mobile malware to the point where a simple uninstall is insufficient", he says in his latest security posting.

One cybercriminal strategy, he goes on to say, has been to separate the malicious Android package into staged payloads.

"The idea is simple: instead of having one payload that carries all of the malicious code for any given attack, break the threat into separate modules that can be delivered independently", he explained.

There are, he notes, several advantages to deploying the threat in this way. Firstly, it removes the tell-tale sign of a huge set of permissions that accompany the installation of the threat.

This list, he says, may alert the mobile device user as to the intention of the malicious app.

"Secondly, smaller pieces are easier to hide and inject into other apps. Furthermore, dispersing the attack across separate apps complicates the integrated revocation processes from the service provider, marketplace etc", he adds.

One piece of Android malware he has analysed that displays this behaviour, he notes, is Android.Lightdd.

As with its previous variant, Android.Lightdd still requires the user to accept the installation of any download - which is a major obstacle in this delivery method of a payload.

"However, another threat also discovered in the wild, Android.Jsmshider, has found a way to overcome this obstacle", he asserts, noting that in signing the payload with an Android Open Source Project (AOSP) certificate, the malware is capable of performing further downloads without any interactions or prompts.

Another interesting trend that Symantec has observed is the use of in-app features that facilitate the promotion and/or download of further apps on the Android platform.

In some cases, says Asrar, he and his team have seen this implemented as full-fledged browsing access to another third-party app store that has been embedded as an undocumented functionality of the original app that the user has downloaded from the official marketplace.

This is carried out, he adds, without any indication that the victim is downloading browsing apps from another website or store.

"All things considered, the real question that comes to mind is: if this truly is the year of mobile malware, where do we go from here?"

What’s Hot on Infosecurity Magazine?