With the largest installed base of all operating systems, Android has certainly taken the mobile world by storm, and as the active user stats show, Android just keeps on getting bigger.
The platform has evolved to bring new form factors - televisions, smartwatches and cars spring to mind - but also new vulnerabilities and exploits.
HummingBad and Gooligan
HummingBad - the components of which are encrypted - “establishes a persistent rootkit with the objective to generate fraudulent ad revenue” for criminals.
Polkovnichenko and Koriat observed that the infection vector of HummingBad was a drive-by download attack via several adult content sites, with the intention of causing some serious harm:
“As the malware installs a rootkit on the device, it enables the attacker to cause severe damage if [they] decide to change [their] objectives, including installing a key-logger, capturing credentials and even bypassing encrypted email containers.”
Later in 2016, the Check Point team identified an advanced variant of the “Ghost Push” malware found in a version of the SnapPea backup application. Dubbed “Gooligan”, the attack campaign compromised one million Google accounts to “access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more” via authorisation token theft.
Check Point found Gooligan malware code in “dozens” of legitimate-looking apps on third-party Android app stores; a total of 86 apps available in these external marketplaces had the potential to root 74 percent of the entire Android smartphone market.
Google’s Director of Android Security Adrian Ludwig responded to concerns in a brief statement, confirming that Google was aware of the threat.
Top tips for staying safe
1. Steer clear of sideloading
Sideloading - bypassing the Play Store to install apps from external sources - can be risky business. Rather than individually screening app submissions for malicious code, Google have opted for an approach based around continuous monitoring.
As with the mixed bag of Android malware scanners and protection mechanisms, Google’s “Bouncer” can be bypassed. If downloaded outside the Play Store, it’s difficult to know whether a file ending in
.apk is truly safe - which is why “unknown sources” is switched off by default on Android.
Three days after Pokémon GO arrived in Australia and New Zealand, Proofpoint researchers identified a modified version infected with the DroidJack RAT (also known as SandroRAT), spread through third party app stores.
So, in a nutshell: steer clear of sideloaded apps and stick with Google Play, or only use vetted third-party sources like Amazon Appstore, Humble Bundle or your organisation’s internal marketplace.
2. Keep your device up to date
When you consider the state of Android updates across the board, the term “fragmentation” may spring to mind.
The platform’s user base is segmented by varying levels of release adoption - from legacy manufacturers stuck with KitKat to Google’s flagship Pixel running the newest stable build of Nougat.
Billed as “a toxic hellstew of vulnerabilities” by Apple CEO Tim Cook, fragmentation creates deeper issues that extend beyond users’ “fear of missing out” on Android’s latest and greatest features.
Early last August, the Check Point team disclosed details pertaining to “QuadRooter” - a set of four vulnerabilities affecting Android devices with Qualcomm chipsets.
Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.
As part of the official remediation strategy, Check Point remind users to download and install the latest Android updates as soon as they become available - including important security updates that help keep your device protected. Here’s how to do that:
- Visit your device’s Settings menu.
- Scroll to the bottom and select “About phone.”
- Select the “check for updates” or “system updates” option.
It’s good advice, but the bad news is that you may be one of the unlucky Android users who finds that following it results in nothing happening.
The sad truth is that purchasers of some manufacturers’ Android phones are being treated poorly - with no prospect of ever receiving security updates to defend themselves against threats.
3. Check app permissions carefully
Imagine downloading a new flashlight or note-taking app, only to discover it requires permission to access your contacts, send SMS messages, track your location and communicate across the internet.
Multiple permission models exist across the Android platform, meaning that malicious actors may target specific device classes when exfiltrating data to endpoints and shady ad networks. Before installing a new app, check the permissions requested, and be especially wary of those tagged with “this may cost you money” or with unnecessary requirements that may violate your privacy.
The Proofpoint research team allude to this point in its analysis of the infected Pokémon GO app:
Another simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings → Apps → Pokemon GO and then scrolling down to the Permissions section.
4. Read up on reviews and developer profiles
My next point of advice stems from a familiar safe computing practice: be careful about what you download, and be on the lookout for “too good to be true” applications. You can gain awareness into an app’s background by checking customer reviews and a developer’s ratings for their entire range of apps.
Be careful though - malicious hackers often create fake versions of popular apps, fabricating a stream of overly positive reviews to drown out users’ complaints. Sift through the haphazard array of spam to identify legitimate comments, and be sure to flag suspicious apps or comments to the Google Play store team.
Looking to another case which surfaced in August 2016: fake builds of the Prisma photography app placed up to 1.5 million users at risk of unwanted advertisements and data theft, as David Bisson reports.
Similar to the Pokémon GO DroidJack infection, David remarks that “malicious developers couldn’t resist” creating fake Prisma applications, with research from ESET indicating the emergence of several Trojan-laced versions.
Okay, don’t shoot us. We said we weren’t going to mention anti-virus software in this list of advice, and we know its inclusion will be controversial with some readers.
Some people swear by running some type of anti-virus product on their Android device, while others shudder at the idea - claiming that it will be too hungry on system resources, and isn’t worth it.
We think you should decide for yourself.
There are plenty of well-known security firms out there who have produced Android versions of their products - with some of them free for use by consumers. See how you get on and whether you can live with it.
Chances are, especially in an ecosystem where it can be hard to rely upon Android security patches from your phone’s manufacturer, that some form of anti-virus might provide an additional layer of protection.
But you should try it for yourself, trying out different security products, and see if you can live with one of them.
Stay up to date on the latest developments by keeping a close eye on our latest coverage on Android-related security issues.