Android botnets on the rise – case study

Principal Security experts are confident that in the next months we will assist to the explosion for Android botnets and in general of mobile cyber threats.

Mobile botnets are malicious infrastructures that are increasing with impressive trend especially the Android botnets, considering the capillary diffusion for the Google mobile OS. Android devices are in the hands of more than half mobile users and unfortunately bad habits and lack of awareness of cyber threats are creating the favorable conditions for the diffusion of malicious applications that could infect helpless mobile.

Every day I meet dozens of persons that have made a jailbreak on their device, that have installed insecure application downloaded from third-party application stores in most of the cases for trivial reasons. For youngsters security is an unknown word, exactly such as malware despite they know that they desktop PC could be infected.

But mobile devices are also in workspace, the promiscuous usage is very common that’s why concepts such as BYOD are becoming very familiar at least between company management.

Cybercriminals are aware of this lack of awareness and the absence of proper defense mechanisms advantage their offensive.

We are speaking of Android botnets, many malicious applications are downloaded directly from a Google Play app store, but the most common question that ordinary people do is:

How do cybercriminals upload malicious code on the official store managed by a company such as Google? It’s known that Google is very careful with the security of its customers and automatically scans every submission to the Google Play store so in our notional there is no possibility for the cybercriminals to exploit this channel for malware diffusion.

Cybercriminals adopt commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, security expert Dancho Danchev explains how it is possible to manage Android botnets in a recent post, using commercially available tools it is possible to inject a pre-configured Android trojan client into any applications.

The diffusion of malicious agents is possible in various ways depending on attackers, the botmaster could spread the malware using compromised Web servers or through DIY Google Dorks based hacking tools “and instead of monetizing the traffic by serving client-side exploits, they can filter and redirect all the mobile device traffic to a fraudulent/malicious Android application.”

The offer is very attractive also due the cheap price, only $37 for this injector tool, in the following image a few screenshots of the application in action.

Apparently the Android trojan has been designed by a group of four students for a university project and has all the feature for this category of malware. Fortunately the malware has an hardcoded reference to a centralized C&C infrastructure that make it easy to trace and bring down. The malware uses no-ip.org as Dynamic DNS services to address to its control infrastructure.

It could be activated both via phone call or SMS and according the post it has the following features:

the capacity to steal an affected user’s entire address book including all the relevant contact information
get the incoming/outgoing calls history
get all the messages (SMS/MMS)
network/GPS based location tracking
real-time monitoring of incoming calls or messages
the ability to make a phone call/send messages with the user’s his Caller ID
activate the device’s microphone
initiate outgoing video streams
visit any given URL
forced vibration of the device

An interesting phenomenon observed by security researchers is the cybercriminal ecosystem is that criminals are also showing an increasing interest in buy verified Google Play accounts, exploiting their reputation in fact they could distribute Android bots to the users who trust/recommend a particular developer.

Mobile malware black market is still not well developed for now, because cybercriminals mostly use to directly attack mobile platforms instead to sell exploit toolkits and mobile malware. Andrey Komarov from security firm Group-IB told me in a previous interview that the key properties of mobile malware for cybercrime are:

Using of well known brands including graphical design of famous applications or legal entities (financial institutions, e-commerce, stock/e-trading applications, applications for social networking and etc.);
The need of entering SMS or making phone calls to other numbers (sometimes it is done silently after mobile malware will be installed on the system);
65% of installations – only on “jailbreaked” devices, 20% – through low verification of applications, 15% – through wireless channels (NFC, WPAN networks).

Security Expert are sure that we will assist to an explosion in the diffusion of mobile malicious infrastructures and in particular for Android botnets, we must be prapared.

(Security Affairs – Android botnets, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.