Only 4 months into 2014 and the Android malware problem continues to explode. Android malware and high risk apps have already reached the 2 million mark, putting us well on our way to our CTO’s prediction of 3 million pieces of malware and high risk apps (Diagram 1). In fact, in the first 3 months of 2014, we found more than 500,000 new instances of Android malware and high risk apps globally. As we continue our work to protect against these threats we’ve seen another threat migrate from the PC world to Android: a new fake anti-malware application (FakeAV) in Google Play called VirusShield.
Virus Shield first became available on Google Play March 28. It cost US$3.99 and our analysis shows it was bought and downloaded more than 10,000 times. In fact, this malicious app became the No. 1 new paid app in just over a week.
We looked more closely at this app to understand it better. Our analysis shows that the only thing this app does is change the image from an “X” to a checkmark image after a simple tap (Diagram 2). It uses some clever social engineering descriptions in the apps store to convince people it’s legitimate so that they’ll pay to download it. An example of this, is the very impressive 4.7-star rating and more than 2,500 Google Plus “recommendations” it has received. Another is posting it as a social mobile app rather than a security app. Based on the 70/30 revenue split rule on Google Play, we estimate the developer of this app actually collected more than US$25,000 in less than 10 days. In this case, the app was removed from Google Play by Google on April 6. But the app is still out there and attackers will likely post it to other online stores or sell it for direct download (a favorite tactic outside the US).
This kind of app actually highlights a new capability in Trend Micro Mobile App Reputation Services that can help protect customers. In addition to our static analysis Trend Micro Mobile App Reputation Service also now uses an advance dynamic analyzer that helps identify fake apps like this.
The Trend Micro Mobile App Reputation Services dynamic analyzer creates a sandbox environment that simulates the mobile device and operating system so that we can monitor the actual behavior of the mobile app (Diagram 3). The sandbox even provides an actual 3G and GPS signal to the mobile app to create as real an environment as possible. We analyze the actual behavior of apps in this sandbox environment to build a reputation score. We take this reputation score and then combine it with the results from our static analysis to give you the best, most comprehensive reputation score possible.
Because the Trend Micro Mobile App Reputation Service is a cloud-based service, it’s always available globally to any product or service provider that integrates with it using the REST (Representation state transfer) HTTP protocol that usually the Web service uses to provide the APIs for 3rd party integration. RESTful APIs. This makes our advanced mobile protection features available to these products or services. This includes the Trend Micro Mobile Security for consumers and enterprises. It’s one reason why Trend Micro’s mobile products earned a top score in the latest AV-Test March mobile benchmark result. This marks three consecutive top scores in AV-Test for Trend Micro Mobile Security products.
While right now the greatest threat that FakeAV on Android poses is the cost you pay to download it, it’s only a matter of time before great, more malicious FakeAV threats come to Android. On this platform of increasing, fast-moving threats, it’s important not only to have security software to help protect you, but to have security software that is ever-evolving just like those threats. Trend Micro Mobile App Reputation Service’s dynamic analysis provides a means to help keep pace with these fast-moving threats and help keep you better protected.