Mobile threats are reaching new heights today and the Android platform is becoming a favorite of attackers. Google made the Android platform as “open” as possible and released application development documentations, source codes, and SDKs for anyone to see. Becoming an Android developer is quite easy—one just needs to pay a US$25 registration fee and he/she is set and can upload applications to the Android Market.
Google trusts the community of developers and users to rate an application or flag it as “malicious.” This was supposed to encourage programmers to develop applications that will in turn attract people to purchase Android smartphones since numerous applications are available.
However, this openness also attracted cybercriminals, as Android’s popularity has become a perfect opportunity for them to profit. As we have seen with the first Android malware, cybercriminals Trojanized legitimate applications and uploaded the new packages to third-party markets, hoping users will download these. Trojanizing legitimate apps became a norm in the Android platform landscape and the best advice (seemingly) is to download only from trusted sites and, of course, from the Android Market.
Yet cybercriminals seemed to have gotten away with uploading a number of Trojanized applications which Trend Micro detects as AndroidOS_LOTOOR.A.
I was able to analyze a sample of a Trojanized application, specifically the game Falling Down. (My colleague Rik Ferguson posted a complete list of the names of the Trojanized applications in his blog entry here.) The Trojanized version of the game is very similar to the clean version and is even playable.
The only noticeable difference between the Trojanized and the clean version of the game is the number of device resources to which the application asks permission for access.
It is possible that the cybercriminals behind this attack hoped that users will mindlessly skim through this granting of access and not realize that the application asked permission to access even resources that are not related to the game.
This malware, like most of its predecessors, gathers device information like IMEI and IMSI numbers. What is new and significant about this threat is that it roots affected devices. Rooting allows a malicious user to gain root privileges to an infected device, similar to jailbreaking in iOS devices. AndroidOS_LOTOOR.A uses two well-known binaries—rageagainstthecage and exploid—to root infected devices. It also has the capability to download and install other applications without the user’s knowledge. This gives remote attackers limitless control over infected devices.
The number of malware targeting mobile devices is expected to continuously rise. As such, users should remain vigilant. Download only from trusted sources and developers. “Application Permissions” are enumerated when installing applications so please do read these and report the application if you suspect that it does not need a permission to do something that it is requesting.
Trend Micro offers security for Android mobile devices through Mobile Security for Android™.
Update as of March 7, 2011, 9:40 AM Pacific Time
The Trojanized applications have since been removed from the Android Market, according to Google. Moreover, the Android team is remotely removing the malicious applications from infected devices and installing Android Market Security Tool 2011.