Mobile malware reported riding on Google messaging service

Mobile botnets are on the rise and cybercriminals are using the Google Cloud Messaging service as a conduit for sending data from command-and-control servers to malware, a new report says.

In its latest IT Threat Evolution report, Kaspersky Lab said the third quarter was "undoubtedly the quarter of mobile botnets," as cybercriminals tried to improve the ways they manage their networks of infected Android devices.

The latest weapon in criminals' arsenal is GCM, which enables them to send short messages in the JSON format to instruct malware on Android devices. JSON, or JavaScript Object Notation, is an open standard format that uses human-readable text to transmit data from a server to Web applications.

GCM is being used to communicate with the most widespread SMS Trojans, Kaspersky said in the report released last week. SMS Trojans are a common form of mobile malware that sends text messages to premium-rate phone services. The charges, which are not easily recovered, show up later on the victim's wireless phone bill.

"The only way of preventing this channel from being used by malware writers to communicate to their malware is to block the GCM accounts of developers who use them to spread malware," Kaspersky said.

Very few malicious programs use GCM, but those that can are growing in popularity, the security vendor said.

SMS Trojans, the most common type of mobile malware, are mostly found in Russia and other regions where Android users regularly download software from third-party app stores. Malware is much less likely to hide in Google Play, the official Android store.

Android infection low

Nevertheless, the overall rate of infection on Android devices is very low. A study by the Georgia Institute of Technology found an infection rate of 0.0009 percent, or roughly 3500 out of more than 380 million mobile devices.

Infection hurdles include bypassing defenses Google builds into the operating system and the lack of effective mechanisms for mass distribution. Criminals are turning to botnets to clear the latter, and Kaspersky in mid-July recorded what the vendor said were the first third-party botnets.

Criminals rent such networks to others for malware distribution. Among the malware distributed is the most sophisticated Android Trojan, known as Obad, Kaspersky said.

android_malware

The malware opens a backdoor in an infected device in order to download additional malicious code for stealing money from victims' bank accounts. While not common in the U.S., people in other countries often use their smartphone for money transfers.

Kaspersky found Obad being distributed through mobile devices infected with malware called Trojan-SMS.AndroidOS.Opfake.a. Upon receiving instructions from a command-and-control server, Opfake would send text messages to everyone on a victim's contact list, inviting them to download multimedia content.

Clicking on the link in the text, automatically downloaded Obad, Kaspersky said.

Typical for mobile malware reports, Kaspersky recorded an increasing number of samples. The number in the vendor's collection rose nearly 20 percent from the second quarter to 120,000.

Subscribe to the Best of TechHive Newsletter

Comments