Malicious Android Applications

Malicious Android applications tend to masquerade as applications that perform a useful service while in the background are stealing information. These applications are commonly classified as Remote Access Trojans (RAT). They allow an attacker to gain unauthorized remote access to a user device with the capability of viewing, extracting and altering the user’s data.

Recently a RAT known as ‘System Update’ was discovered by researchers at the firm Zimperium. This application pretends to manage system updates for your phone ensuring it is always up to date while in the background, is accessing your device data and sharing with its command-and-control server.

This is a red flag as all Android devices perform automatic system updates. The data that it is able to obtain includes:

    • Messages and database files from installed instant messaging applications.
    • All installed applications on the device.
    • Monitor GPS location.
    • Access the camera and take pictures.
    • Any incoming and outgoing activity such as phone calls among other data.

These types of applications are frequently blocked on first party app stores and are more commonly spread through third party app stores. Third party app stores are stores that are not managed by Google and offer an alternative avenue for applications. Hence applications from these stores are rarely subjected to the various evaluation policies of first party app stores that ensure applications are legitimate and not malicious. By default, installing third party stores and applications is not enabled on android devices.

To avoid being the subject of these types of attacks it is recommended to:

    • Avoid installing too many applications as each application you add could be a potential vector of attack.
    • Disable ‘installing applications from unknown sources’ option in the settings menu if it is enabled on your device.

The rise of smartphone usage and the large market share of Android has provided users with a vibrant ecosystem of applications that has inevitably become popular with attackers. As a result, it becomes ever important to ensure installed applications are from a verified vendor and have been subject to sufficient evaluation.

Samson Aberi, Associate Consultant