Fortinet Blog | News and Threat Research
  • Products
  • Solutions
  • Service & Support
  • Partners
  • Corporate
  • Resources
  • How to Buy

Android malware takes to the cloud

by RSS Ruchna Nigam  |  June 13, 2012  |  Category: Security Research

With the migration of most services to the cloud, some enterprising Android malware developers have decided to profit from this.

Google provides a service known as Cloud to Device Messaging (C2DM) that allows developers to send messages from Google’s servers to their applications on Android devices.

Android/FakeInst.C!tr, a malware variant we came across recently, employs exactly this service to carry out its malicious activities. The variant is similar to other samples of the Android/FakeInst family that we have encountered. These samples pose as installers of some sort, however, in truth only serve the purpose of sending out SMS messages without the consent of the user and monitoring incoming SMS messages on the infected phone.

Android/FakeInst.C!tr application

In addition, this particular variant registers the device with the C2DM services using an email id (noviigfastn@gmail.com) found in the application package. Once registered, the phone then listens for messages from the Android C2DM servers.

Communication Through C2DM Framework

Further analysis of the code shows that the message from the C2DM servers contains three components : title, url and body. As the names would indicate, the values title and body are used to display a notification to the user while the url is automatically opened in the phone browser when the user views said notification.

In this manner attackers can get users to open malicious links that they push onto their devices without the user clicking/viewing the link.

We speculate that malware authors benefit from this since it is more effective at obscuring the attackers’ third party servers giving them the advantage of being able to hide behind an email id registered with Google’s C2DM service. However, on the flip side, this also makes it easier for Google to block these notifications by simply blacklisting the attackers’ account registered with the cloud.

How do you think malware authors benefit from using cloud services instead of sending notifications directly from their servers?

by RSS Ruchna Nigam  |  June 13, 2012  |  Category: Security Research
Tags: android cloud-based services Malware mobile Mobile Security
comments powered by Disqus

Category

  • All
  • RSS Subscribe
  • Security Research
  • RSS Subscribe
  • Industry Trends & News
  • RSS Subscribe

FortiGuard Labs on the Web

  • Twitter Twitter
  • Facebook Facebook
  • LinkedIn LinkedIn
  • Youtube Youtube

Monthly Archives

  • May 2013 8
  • April 2013 17
  • March 2013 12
  • February 2013 11
  • January 2013 12
  • December 2012 8
  • November 2012 7
  • October 2012 4
  • September 2012 7
  • August 2012 7
  • July 2012 9
  • June 2012 17
  • May 2012 14
  • April 2012 16
  • March 2012 15
  • February 2012 11
  • January 2012 6
  • December 2011 4
  • November 2011 6
  • October 2011 11
  • September 2011 2
  • August 2011 2
  • July 2011 4
  • June 2011 6
  • May 2011 6
  • April 2011 5
  • March 2011 7
  • February 2011 5
  • January 2011 7
  • December 2010 8
  • November 2010 11
  • October 2010 3
  • September 2010 8
  • August 2010 4
  • July 2010 9
  • June 2010 9
  • May 2010 9
  • April 2010 6
  • March 2010 8
  • February 2010 6
  • January 2010 9
  • December 2009 8
  • November 2009 6
  • October 2009 6
  • September 2009 8
  • August 2009 5
  • July 2009 8
  • June 2009 7
  • May 2009 4
  • April 2009 7
  • March 2009 9
  • February 2009 4
  • January 2009 1
  • Older

Popular topics

zitmo SpyEye Fortinet BYOD Threat Landscape reverse engineering stuxnet virut hacking challenge mobile phones mobile malware FortiGate Malware reversing android hashdays bredolab sms Mobile Security google symbian apple Zeus Mac OS X UTM trojan iphone Cryptography exploit webinar Research Anti-Spam botnet Anonymous privacy facebook Windows mobile phone Firewall microsoft network security symbos/yxes adobe mobile challenge derek manky symbianos Security conference Antivirus