Pierluigi Paganini July 01, 2013

Principal Security experts are confident that in the next months we will assist to the explosion for Android botnets and in general of mobile cyber threats.

Mobile botnets are malicious infrastructures that are increasing with impressive trend especially the Android botnets, considering the capillary diffusion for the Google mobile OS. Android devices are in the hands of more than half mobile users and unfortunately bad habits and lack of awareness of cyber threats are creating the favorable conditions for the diffusion of malicious applications that could infect helpless mobile.

Every day I meet dozens of persons that have made a jailbreak on their device, that have installed insecure application downloaded from third-party application stores in most of the cases for trivial reasons. For youngsters security is an unknown word, exactly such as malware despite they know that they desktop PC could be infected.

But mobile devices are also in workspace, the promiscuous usage is very common that’s why concepts such as BYOD are becoming very familiar at least between company management.

Cybercriminals are aware of this lack of awareness and the absence of proper defense mechanisms advantage their offensive.

We are speaking of Android botnets, many malicious applications are downloaded directly from a Google Play app store, but the most common question that ordinary people do is:

How do cybercriminals upload malicious code on the official store managed by a company such as Google? It’s known that Google is very careful with the security of its customers and automatically scans every submission to the Google Play store so in our notional there is no possibility for the cybercriminals to exploit this channel for malware diffusion.

Cybercriminals adopt commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, security expert Dancho Danchev explains how it is possible to manage Android botnets in a recent post, using commercially available tools it is possible to inject a pre-configured Android trojan client into any applications.

The diffusion of malicious agents is possible in various ways depending on attackers, the botmaster could spread the malware using compromised Web servers or through DIY Google Dorks based hacking tools  “and instead of monetizing the traffic by serving client-side exploits, they can filter and redirect all the mobile device traffic to a fraudulent/malicious Android application.”

The offer is very attractive also due the cheap price, only $37 for this injector tool, in the following image a few screenshots of the application in action.

Apparently the Android trojan has been designed by a group of four students for a university project and has all the feature for this category of malware. Fortunately the malware has an hardcoded reference to a centralized C&C infrastructure that make it easy to trace and bring down. The malware uses no-ip.org as Dynamic DNS services to address to its control infrastructure.

It could be activated both via phone call or SMS and according the post it has the following features:

• the capacity to steal an affected user’s entire address book including all the relevant contact information
• get the incoming/outgoing calls history
• get all the messages (SMS/MMS)
• network/GPS based location tracking
• real-time monitoring of incoming calls or messages
• the ability to make a phone call/send messages with the user’s his Caller ID
• activate the device’s microphone
• initiate outgoing video streams
• visit any given URL
• forced vibration of the device

An interesting phenomenon observed by security researchers is the cybercriminal ecosystem is that criminals are also showing an increasing interest in buy verified Google Play accounts, exploiting their reputation in fact they could distribute Android bots to the users who trust/recommend a particular developer.

Mobile malware black market is still not well developed for now, because cybercriminals mostly use to directly attack mobile platforms instead to sell exploit toolkits and mobile malware. Andrey Komarov from security firm Group-IB told me in a previous interview that the key properties of mobile malware for cybercrime are:

• Using of well known brands including graphical design of famous applications or legal entities (financial institutions, e-commerce, stock/e-trading applications, applications for social networking and etc.);
• The need of entering SMS or making phone calls to other numbers (sometimes it is done silently after mobile malware will be installed on the system);
• 65% of installations – only on “jailbreaked” devices, 20% – through low verification of applications, 15% – through wireless channels (NFC, WPAN networks).

Security Expert are sure that we will assist to an explosion in the diffusion of mobile malicious infrastructures and in particular for Android botnets, we must be prapared.

(Security Affairs – Android botnets, cybercrime)