• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Security
  • Android malware uses Google Cloud Messaging Service as C&C Server

Android malware uses Google Cloud Messaging Service as C&C Server

Pierluigi Paganini August 16, 2013

Security experts at Kaspersky have detected numerous Android malicious applications that uses Google Cloud Messaging Service as C&C.

Android malware exploits the Google Cloud Messaging Service (GCM) as Command and Control server. The Google service allows Android app developers to send messages using JSON format to installed apps, but hackers exploited it for malicious purposes. The discovery has been made by researchers at Kaspersky with a post on Securelist.

The JSON format is commonly used by developers to structure their data within a container, it is very versatile and commonly used by many applications. The Kaspersky Lab researchers have detected at least five different Android trojans that used JSON format:

  1. SMS.AndroidOS.FakeInst.a
  2. SMS.AndroidOS.Agent.ao
  3. SMS.AndroidOS.OpFake.a
  4. Backdoor.AndroidOS.Maxit.a
  5. SMS.AndroidOS.Agent.az.

The authors of the malware in every case took advantage of Google Cloud Messaging Service  to exchange messages between C&C services and the malicious app. Once gained a Google Cloud Messaging Service (GCM) ID, malware updates are distributed exploiting directly the Google cloud services and also any command to the malicious agent is sent exploiting the service and using JSON format. The Google Cloud Messaging Service (GCM) acts as Command and Control server for the Trojans, what is very smart in this implementation is that malware updates appear to the user to be official updates via Google.

“Furthermore, the execution of commands received from Google Cloud Messaging Service GCM is performed by the GCM system and it is impossible to block them directly on an infected device. The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.”

SMS.AndroidOS.FakeInst.a is the most diffused agent, according Kaspersky experts more than 4,800,000 installers have been detected and around 160000 attempted installation were blocked in 2012.

“It can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other malicious programs that are spread under the guise of useful applications or games” states the Kaspersky blog post.

SMS.AndroidOS.Agent.ao is presented as a porn app and has the primary intent to send messages to premium numbers meanwhile the SMS.AndroidOS.OpFake.a malware is the typical SMS malicious application of which have been detected also more than 1 million installers. This last malware is also able to steal sensitive information from the victim’s handset such as  contacts and it is also able to self-update its code, the agent appeared very active and was detected in 97 different countries, the majority in Russia and eastern countries. The Kaspersky team has blocked more than 60,000 attempted installs, it sends several commands from both the GCM and its own C&C servers such as:

  • Sending premium text messages to a specified number
  • Sending text messages (typically with a link to itself or a different threat) to a specific number, typically to numbers on the contact list
  • Performing self-updates
  • Stealing text messages
  • Deleting incoming text messages that meet the criteria set by the C&C
  • Theft of contacts
  • Replacing the C&C or GCM numbers
  • Stopping or restarting its operations

Backdoor.AndroidOS.Maxit trojan was very dated, first instance was detected in late 2011 and appears to be continuously updated, today the experts counted more than 40 different variants most often in Malaysia, Thailand, the Philippines and Burma.

“All of these modifications are very similar to one another,” “the app opens websites with games, while malicious operations are executed in the background.” It has been found most often in Malaysia, but also in Thailand, the Philippines and Burma.

Google Cloud Messaging Service Backdoor_AndroidOS_Maxit

“The first thing the backdoor sets out to do is collect information about the phone and the SIM card, including the phone number and the mobile provider. All of this data is uploaded to the androidproject.imaxter.net C&C. This is the server that manages all of the Trojan’s primary functions.”

The last trojan, SMS.AndroidOS.Agent.az., was detected for the first time in May 2012 and is a shell app for a Vietnamese porn website which is able also to send text messages to a premium number.

The number of malware that exploit the Google Cloud Messaging Service is destined to increase despite it is still relatively low, the data on their diffusion demonstrated it. These malware are prevalent in Western Europe, the CIS, and Asia, virus writers know very well that execution of commands received from GCM is performed by the Google Cloud Messaging Service system and it is impossible to block them directly on an infected device.

Actually the only option for security experts is to block developer accounts with IDs linked to the registration of malicious applications.

Pierluigi Paganini

(Security Affairs  Google Cloud Messaging Service, Android, malware)


facebook linkedin twitter

Android Cybercrime Google Cloud Messaging Service Hacking Kaspersky malware Trojan

you might also like

Pierluigi Paganini July 27, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55
Read more
Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT