dw2

29 April 2012

My brief skirmish with Android malware

Filed under: Android, deception, malware, security — David Wood @ 2:19 pm

The smartphone security issue is going to run and run. There’s an escalating arms race, between would-be breakers of security and would-be defenders. The race involves both technology engineering and social engineering.

There is a lot at stake:

  • The numbers of users of smartphones continues to rise
  • The amount of sensitive data carried by a typical user on their smartphone (or accessible via credentials on their smartphone) continues to rise
  • Users increasingly become accustomed to the idea of downloading and installing applications on their mobile devices
  • Larger numbers of people turn their minds to crafting ways to persuade users to install apps against their better interest – apps that surreptitiously siphon off data and/or payments

In that context, I offer the following cautionary tale.

This afternoon, I unexpectedly ran into an example of this security arm race. I was minding my own business, doing what lots of people are doing in the UK these days – checking the weather forecast.

My Samsung Galaxy Note, which runs Android, came with an AccuWeather widget pre-installed on the default homescreen:

Clicking on the widget brings up a larger screen, with more content:

Clicking the ‘More’ button opens a web-browser, positioned to a subpage of m.accuweather.com.  I browsed a few screens of different weather information, and then noticed an inviting message near the bottom of the screen:

  • Turbo Battery Boost – Android System Update

I was curious, and decided to see where that link would lead.  On first glance, it appeared to take me into the Android Marketplace:

The reviews looked positive. Nearly two million downloads, with average rating around 4.5 stars. As someone who finds I need to recharge the battery in my Android midway every day, I could see the attraction of the application.

As I was weighing up what to do next, another alert popped up on the screen:

By this stage, I was fairly sure that something fishy was going on. I felt sure that, if there really was a breakthrough in battery management software for Android, I would have heard about it via other means. But by now I was intrigued, so I decided to play along for a while, to see how the story unfolded.

Clicking ‘Next’ immediately started downloading the app:

which was immediately followed by more advice on what I should do next, including the instruction to configure Android to accept updates from outside the Android Market:

Sure enough, the notifications area now contained a downloaded APK file, temptingly labelled “tap to start”:

A risk-averse person would probably have stopped at that point, fearful of what damage the suspicious-looking APK might wreak on my phone. But I had enough confidence in the Android installation gateway to risk one more click:

That’s a heck of a lot of permissions, but it’s nothing unusual. Many of the other apps I’ve installed recently have requested what seemed like a similar range of permissions. The difference in this case was that I reasoned that I had little trust in the origin of this latest application.

Even though the initial ad had been served up on the website of a reputable company, AccuWeather, and implied some kind of endorsement from AccuWeather for this application, I doubted that any such careful endorsement had taken place. Probably the connection via the AccuWeather webpage and the ads shown in it is via some indirect broker.

Anyway, I typed “Android BatteryUpgrade” into a Google search bar, and quickly found various horror stories.

For example, from a PCWorld article by Tom Spring, “Sleazy Ads on Android Devices Push Bogus ‘Battery Upgrade’ Warnings“:

Sketchy ads promote battery-saver apps for Android, but security experts say the programs are really designed to steal your data–or your money

Scareware has gone mobile: Users of Android devices are starting to see sleazy ads warning that they need to upgrade their device’s battery. The supposed battery-saver apps that those ads prod you to download, however, could endanger your privacy or siphon money from your wallet–and generally they’ll do nothing to improve your gadget’s battery life…

“These ads cross a line,” says Andrew Brandt, director of threat research for Solera Networks. It’s one thing to market a worthless battery app, he says, but another to scare or trick people into installing a program they don’t need.

The ads are similar to scareware marketing tactics that have appeared on PCs: Such ads pop up on desktops or laptops, warning that your computer is infected and advising you to download a program to fix the problem. In many cases those rogue system utilities and antivirus products are merely disguises for software that spies on users.

Why use battery ads as a ploy? They tap into a common anxiety, Brandt says. Phone users aren’t yet concerned about viruses on their phones, but they are worried about their battery being sucked dry.

Brandt says that one Android battery app, called both Battery Doctor and Battery Upgrade, is particularly problematic: Not only does it not upgrade a battery or extend a charge, but when it’s installed and unlocked, it harvests the phone’s address book, the phone number, the user’s name and email address, and the phone’s unique identifying IMEI number. With a phone user’s name, IMEI, and wireless account information, an attacker could clone the phone and intercept calls and SMS messages, or siphon money from a user by initiating premium calls and SMS services. Once the battery app is installed the program sends the phone ads that appear in the drop down status bar of the phone at all times – whether the app is running or not. Lastly it periodically transmits changes to the user’s private information and phone-hardware details to its servers…

Now on the one hand, Android deserves praise for pointing out to the user (me, in this case) that the application was requesting lots of powerful capabilities. On the other hand, it’s likely that at least some users would just think, “click, click, yes I really do want to install this, click, click”, having been desensitised to the issue by having installed lots of other apps in seemingly similar ways in the past.

Buyer beware. Especially if the cost is zero – and if the origin of the application cannot be trusted.

Footnote: Now that I’m paying more attention, I can see lots of other “sleazy” (yes, that’s probably the right word) advertisements on AccuWeather’s mobile webpages.

Advertisements

3 Comments »

  1. Nice write up and good to see the screenshots on this. It would be interesting to see what the various AV tools say about it. Have you tried scanning with the free versions?

    Comment by David Rogers — 29 April 2012 @ 2:56 pm

    • I didn’t complete the installation and I deleted the .APK from the Downloads folder. I wonder if an AV tool would have detected the .APK and thrown an alert, as soon as it had arrived on my phone, even before I had navigated the Installation dialog. (I don’t run any AV tools on my phone and have never felt the need to do so… but maybe I should reconsider this.)

      Comment by David Wood — 29 April 2012 @ 3:07 pm

  2. Avast picked mine up. My son downloaded some games on my galaxy tab. I removed all the games but keep getting the popup to download still. I’m trying to find what its listed as to close and delete the popup. I managed to close it but not sure which app it was. I need to play a little more.

    Comment by David Baglietto — 13 June 2012 @ 11:19 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: