Malware Makers Using Google GCM as a C&C Server to Android Trojans

JSON, javascript object notation, is a text-based standard for data interchange. “These messages,” warns Roman Unuchek of Kaspersky Lab, “may contain any structured data, such as links, advertising information, or commands.” GCM using JSON is a service properly used to discover the coordinates of stolen telephones, and send out messages about the release of new game levels, new products, and more. But, says, Unuchek, “it would be surprising if virus writers did not attempt to take advantage of the opportunities presented by this service.”

And indeed they have. Kaspersky Lab has now published details on five separate Android trojans that use this process: SMS.AndroidOS.FakeInst.a,, SMS.AndroidOS.OpFake.a, Backdoor.AndroidOS.Maxit.a, and 

The first is is one of the most widespread threats targeting Android. Kaspersky has detected over 4,800,000 installers, and blocked 160,000 attempted installations in the last year. “It can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other malicious programs that are spread under the guise of useful applications or games.”

The second is disguised as a porn app, with the primary purpose of sending messages to premium numbers. The third is described by Kaspersky as “a classic example of an SMS Trojan,” with more than 1 million detected installers. Apart from the usual premium messages it is also able to steal contacts and perform self-updates. It has been found in 97 different countries, but predominantly in Russia and surrounding countries, where Kaspersky has blocked more than 60,000 attempted installs. A further 1000 have been blocked in Italy and Germany.

The fourth trojan, Backdoor.AndroidOS.Maxit, was first detected in late 2011, with new versions appearing ever since (there are currently more than 40 variants). “All of these modifications are very similar to one another,” says Kaspersky; “the app opens websites with games, while malicious operations are executed in the background.” It has been found most often in Malaysia, but also in Thailand, the Philippines and Burma.

The fifth trojan has been monitored by Kaspersky since May 2012. “It is a shell app for a Vietnamese porn website which also sends text messages to a premium number,” warns Kaspersky.

The problem, in all cases, is that once the malware developer gains a GCM ID, his malware updates are distributed by Google’s cloud services to all of his installed apps. Google is being used as a command and control server for the trojans: the updates appear to the user to be official updates via Google. “Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device. The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.”

The ball is clearly in Google’s court.

What’s hot on Infosecurity Magazine?