With its big growth and its open environment, it is easy to understand why Android is under attack.
The system is facing an almost daily barrage of malware attacks and the numbers back it up with 5,033 malicious Android application packages (APKs), a 64 percent increase over the 3,063 identified in the first quarter of 2012, according to the latest version of the F-Secure Mobile Threat Report.
One of the reasons for the constant Android assault is the readily available tools that allow a basic developer to create devious mobile applications. That is one reason why users need to remain cautious when downloading and installing mobile apps, especially from non-official App Stores.
Developing Android malware to harvest information is a “trivial” task and possible using readily available tools, said Kevin McNamee, security architect and director at Kindsight Security Labs.
In just a few steps, McNamee showed in a published report how he was able to inject snippets of code into a legitimate Android application that infected a mobile device with malware. The malware, when executed, connected with a remote command-and-control center and transmitted data from the device.
First McNamee downloaded a copy of the Android packager file APK for the popular game Angry Birds and infected it with DroidWhisper, a malicious Java program designed to collect and send phone data to a remote server and execute various commands. Along with the host APK file, all he needed were the regular tools available to any developer on the Android developer site. Any bad guy too busy to develop his own attack program can obtain attack programs online without too much trouble.
He took the Angry Bird APK apart by using the developer tool “apktool” to decompile the entire package. Once done, he could see the source code and directories containing various resources and images. He copied the malicious Java program into the “com” directory. If the source code was not available, it would be possible to inject malware into an app by copying malicious binaries and placing them inside the “res” (resource) or “assets” directories.
McNamee knew the various commands he needed, which then turned the endeavor into a cut-and-paste job. He opened up the XML file, which defined all the services the app runs when being loaded and user permission, in a text editor. He added a service command with the name of the malicious program inside the command string and several lines that gave the app extra permissions, such as accessing the Internet and sending SMS messages.
The copied snippets told the operating system to launch these applications when running the current app. It also tells the OS what permissions the app needs to work.
Users see the new permissions when running the modified game, but they most likely will not look at the list or stop to wonder why a game app requires certain permissions, McNamee said.
Malware copied and XML file modified, the next step was to recompile the program with all the changes into a new program. This new build then distributes out either on an alternative market or as part of a legitimate Google Play offering.
Google has one roadblock, but it’s easy to step over, McNamee said. While Google requires developers to digitally sign the code, there’s no validation in place to examine the signature, he said. McNamee was able to use a private digital signature with the name “Evil Hacker” using the “jarsigner” tool.
Once an Android device downloaded the modified app, the malware was in the device and the program could communicate with the remote C&C server.
Executing the game looks completely the same as the real thing and there is no sign of anything running that shouldn’t be. From the C&C server, attackers could see the confiscated contact information, geo-location data, and the email address associated with the device, among others. The C&C server can send instructions such as sending spam to all contacts or taking pictures using the device’s camera.