2019 Cybersecurity Insights -14

2019 Cybersecurity Insights -14

August 5, 2020 | Mina Hao

Malware Threats from Mobile Platforms

Nowadays, smartphones are ubiquitous. Android, as a widely used mobile operating system, is vulnerable to an increasing large number of malware families owing to its openness and privilege issues. Such malware can even be spread via legal channels, including Google Store.

Generally, the evolution of mobile platform threats shares great similarities with that of PC threats. In 2019, ad apps still dominated the list of malware threatening the security of Android users. Potentially dangerous software requiring sensitive operations also made up a large proportion. High-risk threats, such as spyware, bank trojans, and ransomware, were small in number, but most of them had been around for some time and some even for years. Agent programs launching attacks via remote code execution, thanks to the inherent nature of Android, were another type of mobile threats at the top of the list.

  • Compromise and spreading method

As usual, active malware on mobile platforms in 2019 was mainly distributed via third-party markets and illegitimate links. Although this type of malware, as a whole, made not much headway technically, bank trojans and ransomware became more skilled in social engineering and could launch attacks by means of highly deceptive content. When it comes to the grey industry, 2019 saw more and more apps bundled with malicious functions or modules intentionally by developers or stealthily by evil-minded people.

With the development of mobile operating systems and markets, malicious Android applications are now easier to remove. However, for ordinary Android users with little security awareness, these malicious applications can still significantly affect the user experience or even cause financial losses. Android users should remember to keep their systems up to date and obtain content from legitimate channels to avoid being attacked and leveraged by cyber criminals.

  • Adware

In 2019, Android adware could be classified into the following types from the aspect of the delivery method:

Bundled adware. When developing such adware, the writer decompresses a popular, legitimate app and then adds an ad module to it before compressing and uploading the tampered package to third-party app markets. An example of this type of adware is Ewind.

Disguised adware. Adware has an icon and name looking identical or similar to a popular app and is available on third-party app markets. MobiDash is a typical example of this type of adware.

Adware in the form of the software development kit (SDK). Some adware developers have acquired the legal status and do business by pushing their own adware in the form of SDKs to partners. Applications using these SDKs will be included in the ad push network to have their ads displayed, thus garnering profits. AirPush is such a type of adware.

Though different in the delivery method, all these types of adware could cause bad experience to Android users. Most of such software has a delay mechanism by which ads are not pushed until hours or even days after the software is installed, adding to the difficulty of identifying it by users and regulators.

  • Bank trojans

In 2019, bank trojans like Wroba, Svpeng, and Asacub were extremely active around the world.

Wroba is a long-lived bank trojan targeting South Korean users. Looking like common bank applications (Hana Financial Group, Lotte Co., Ltd., and so on), Wroba is delivered via phishing websites or links. This trojan is mainly used for stealing app information, call records, short message service (SMS) contents, and other information. Specifically, it forges web pages to collect users’ bank account information and then sends such information to a specified C&C server.

Svpeng is a bank trojan mainly targeting Russian users. Usually disguised as an application like Flash Player or a popular game, the trojan is distributed via application markets. It is mainly used for espionage purposes, including collecting SMS, call, and keystroke records of devices, sending text messages, and obtaining administrative privileges to gain persistence. In addition, with a forged credit card page, the malware can collect users’ credit card information.

It is worth noting that some Svpeng variants have the ransomware feature, enabling the malware to demand ransom from users while collecting user information.

Asacub is also a long-lived bank trojan targeting Russian users. It has evolved into a full-featured remote control trojan from a simple secret theft tool. The initial version of Asacub features a small size and a simple function of stealing users’ SMS contents. The mobile banking evolution of Asacub includes features that enable the trojan to display a phishing page for a banking application, execute commandline instructions, and capture screens. By hijacking users’ SMS contents, Asacub can leverage social
engineering to achieve fast spreading.

  • Ransomware

Some variants of the banking trojan Svpeng come with the ransomware feature, which is achieved by locking users’ screens, the oldest practice of Android ransomware. These variants had the most samples detected in 2019 among all ransomware families. With US Android users as the major targets, the variant disguises itself as an application offering adult content. During running, it uses a highprivileged window to freeze the screen and disable all buttons except the power button. Besides, it accuses users of viewing illegal content on their smartphones and uses it as an excuse to demand users to pay ransom.

Fortunately, ransomware families are less original in their delivery method. Android users can walk around them as long as they avoid downloading applications from unofficial channels.

  • Cryptojacking malware

Some Android applications engage in cryptojacking activities without users’ knowledge by including a cryptomining module.

Usually, cryptomining can be achieved via JavaScript scripts or a shared object (SO).

Android applications embedded with JavaScript cryptomining scripts are massive in quantity. They include not only malicious applications but also legitimate ones. These applications seem to prefer Android TV boxes to smartphones. This is because TV boxes have poor application governance and applications on them usually run continuously for hours, providing a good chance for hackers to garner more profits by means of cryptojacking.

Compared with JavaScript scripts, SOs are characterized by more efficient cryptomining and larger file sizes. The latter characteristic makes it difficult to spread SOs by means of bundling. Common SO cryptomining modules include NeoNeonMiner and MinerGate, built on mainstream architectures such as x86/x64, ARM, and MIPS.

To be continued.