A “loophole” in Google Cloud Messaging (GCM) lets attackers control some nasty Android Trojans.
Cyber criminals use Google Cloud Messaging, the service that allows Android developers to send data from their servers to their apps installed on Android devices, as a command and control (C&C) server for their malware, said researchers at Kaspersky labs.
Most of these pieces of malware send SMS messages to premium rate numbers, steal messages and contacts, and display shady advertisements that might lead to other malicious elements.
One example is Trojan-SMS.AndroidOS.OpFake.a, which, according to Kaspersky, ended up installed over 1 million times on Android devices, particularly by users from Russia and other Commonwealth of Independent States (CIS) countries.
The threat is capable not only of sending SMS messages to premium rate numbers, but also of stealing messages and contacts, deleting SMSs, and sending out messages with links to malicious applications. The malware can also start and stop its activity automatically, and it can even update itself.
The malicious applications go out as popular applications and games.
Once an Android device suffers infection, the cyber criminals use the Google service to send out commands to the Trojans and record their activities. Because attackers use GCM, experts warn it’s impossible to block access to the C&C directly from the infected smartphone.
Kaspersky said the only way to block these attacks is for Google to terminate the developer accounts utilized by the cybercriminals. The company notified the search engine giant and provided it with the GCM developer IDs utilized in the malware attacks.
Kaspersky researchers said they identify over 12,000 new samples of mobile malware each month and 97 percent of these threats target the Android platform.