New Android malware using blog posts as command-and-control system

The Android malware evolution is potentially a re-run to the Windows malware seen in the 1990s, Infosecurity notes, which used the old internet relay chat (IRC) channels – a group version of instant messaging – to control the execution of the darkware code.

According to Karl Dominguez, a threat response engineer with the IT security vendor, ANDROIDS_ANSERVER.A, as it is known, arrives as an e-book reader app and can be downloaded from a third-party Chinese app store, asking for the following permissions upon installation:

Access network settings
Access the Internet
Control the vibrate alert
Disable key locks
Make a call
Read low-level log files
Read and write contact details
Restart apps
Wake the device
Write, read, receive, and send SMS

“From our analysis, we found that this malware has two hard-coded [command-and-control] servers to which it connects in order to receive commands and to deliver payloads. The first server is just like the usual remote site to which the malware posts information to and gets commands from”, wrote Dominguez in his latest security posting.

“The second C&C server, however, caught our attention more. This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate”, he added.

Further analysis of the blog content, said the Trend Micro threat analyst, revealed six encrypted posts containing backup C&C server URLs, as well as 18 binaries that have been uploaded to the blog between July 23 and September 26, with one of the updates named '_test', suggesting that the malware is still being developed.

Decrypting the posts and analyzing the binaries, Dominguez said his team found that the files are just different versions of one file. Comparing them, he added, one difference he found is that the newer versions had the capability to display notifications that attempt to trick users into approving the download of an update.

“The use of blog platforms in malware activities is not unheard of. In fact, early this year, a botnet was found using Twitter for issuing commands to infected systems. If anything, this recent adaptation of mobile malware is another sign of continued development and proliferation”, he noted.

What’s hot on Infosecurity Magazine?