Android malware takes to the cloud
With the migration of most services to the cloud, some enterprising Android malware developers have decided to profit from this.
Google provides a service known as Cloud to Device Messaging (C2DM) that allows developers to send messages from Google’s servers to their applications on Android devices.
Android/FakeInst.C!tr, a malware variant we came across recently, employs exactly this service to carry out its malicious activities. The variant is similar to other samples of the Android/FakeInst family that we have encountered. These samples pose as installers of some sort, however, in truth only serve the purpose of sending out SMS messages without the consent of the user and monitoring incoming SMS messages on the infected phone.
In addition, this particular variant registers the device with the C2DM services using an email id (firstname.lastname@example.org) found in the application package. Once registered, the phone then listens for messages from the Android C2DM servers.
Further analysis of the code shows that the message from the C2DM servers contains three components : title, url and body. As the names would indicate, the values title and body are used to display a notification to the user while the url is automatically opened in the phone browser when the user views said notification.
In this manner attackers can get users to open malicious links that they push onto their devices without the user clicking/viewing the link.
We speculate that malware authors benefit from this since it is more effective at obscuring the attackers’ third party servers giving them the advantage of being able to hide behind an email id registered with Google’s C2DM service. However, on the flip side, this also makes it easier for Google to block these notifications by simply blacklisting the attackers’ account registered with the cloud.
How do you think malware authors benefit from using cloud services instead of sending notifications directly from their servers?