A recent news article described email as the undying "cockroach of the Internet". To validate this statement, seeing some of the Android malware samples I've analyzed recently, malware authors might share that sentiment.
In 2013, we saw the first Android botnet variant that used email as a means to 'call home'. However, over the past few months there has been a surge in the number of samples discovered that follow suit (thanks to Crypto Girl for the observation).
The table below lists all such variants we've seen so far :
|Variant Name||Date of Discovery||SMTP Server Used||Same Sender and Recipient Email Id||Sender Email Account Status|
|Android/Langya.A!tr.spy||Aug, 2013||smtp.163.com||No||User account suspended|
|Android/Secretspy.A!tr.spy||Sept, 2013||smtp.gmail.com||No||Account password changed|
|Android/Bankstel.A!tr.spy||July, 2014||smtp.qq.com||No||Failure to sign in|
|Android/Wroba.I!tr||July, 2014||smtp.gmail.com||Yes||Account disabled|
|Android/FakeKype.A!tr||July, 2014||smtp.gmail.com||Yes||Account password changed|
|Android/SmsSend.FA!tr||Aug, 2014||smtp.qq.com||No||Failure to sign in|
Some other botnet variants come packaged with email sending abilities as well but haven't been included in the list since they need to be configured on the infected phone before they are effective. Such variants with user-defined email IDs are less interesting to us in the context of this post. For example:
- Android/AnSmCon.A!tr.spy (Jan, 2013)
- Android/FynCopy.A!tr (Feb, 2013)
- Riskware/SmsControlSpy!Android (July, 2014)
Disadvantages of using email as a way to 'call home'
- Single point of takedown: Some samples make use of the same email ID as sender and recipient. This is probably advantageous since it means only one value would need to be changed in order to create a new variant of the sample. Although, a bigger concern for malware authors should be the single-point of takedown for the botnet's email communication channel.
- Hard-coded Login credentials: Another disadvantage is the fact that the email address and password of the sender's email account are hard-coded with the sample. This means anyone who gets their hands on a sample can log into the "bot" email account and emulate it's communication with the C&C server. Granted, this is true for all means of communication as well, it might just be a lot easier with email communication.
- Account deactivation: At the other end, if the recipient email account is deactivated, the gathered information sent by the botnet can't be accessed by an attacker.
All of these disadvantages can be circumvented if the botnet configuration can be updated via another C&C channel. This was first seen in the case of Android/Bankstel that allows the email address and password used to be updated via an SMS command.
Some other observations that can be made from these samples we've seen
- Exclusivity: None of the variants seen so far use only email, exclusively, to communicate with the botmaster. This could be owed to the fact that email accounts are under the control of email service providers and are hence, easily disabled (much faster than a phone number setup for receiving SMS updates or a server that receives updates via TCP or UDP.
- Email Commands: None of the variants use the email channel for listening for commands. My guess would be that this is probably due to the complexity of incorporating a self-sufficient email client within the malware that can listen for emails received in real-time.
- Credentials Storage: Most variants mentioned don't store the email credentials used on the phone. However, Android/Wroba.I saves its email credentials in Plain Text on the SD card that can be easily changed as was demonstrated in this post by FireEye. This makes it easy to disable the malware or redirect traffic to a monitored destination without even uninstalling the malicious application or making changes to its code.
- Multiple Email IDs: Special mention must be made to the Android/Langya variant that has all of fifteen email accounts registered for the botnet to send emails from (an extract of the code can be seen below). Unfortunately for the malware authors, all of these accounts have been suspended. This should be a good indication that winning by numbers isn't exactly the best strategy to go with in this scenario.
Figure: Multiple Email IDs used in Android/Langya.A!tr.spy
In conclusion, it is safe to say that email is still not the preferred communication medium with malware authors for use in botnets. However, with the recent increase in the number of variants and the additional ability in Android/Bankstel to remotely update the botmaster email credentials, we can say it's another medium malware authors are exploring for botnet communication.