Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are designed to provide a secure, encrypted connection between a client and a server online. For further authentication and encryption, the server is required to provide certificates. By doing so, the server can prove its identity directly and effectively.
With an SSL connection, both sides can guarantee the validity and security of the communication. This is especially advantageous for services, such as online banking, email, social networks, which require secure tunnels to exchange data between clients and servers.
Unfortunately, this technology has become a double-edged sword. Android malware are now utilizing SSL to hide their routines and to evade detection.
Use of SSL Servers
SSL servers have become a target of Android malware. Malware can use any of the three types of servers.
Unknown self-hosting servers – By maintaining an unknown self-hosting SSL server, malware authors need to build a custom TrustManager (which can decide to accept credentials) and SSLSocket that will make its malicious app trust the server’s certificate. Creating a custom TrustManager and SSLSocker is required because the malware server’s certificates are not usually included as a default in the Android OS. This often requires much effort: when a server or domain is changed (often as a reaction to AV detection), the SSL connection may fail during verification. Malware authors have to update both the certificate and client app to re-establish the connection. In addition, working with self-signed certificates and static servers will be easily and quickly detected by security companies. It’s little surprise that few malware go for this method.
Known public web-hosting SSL servers – Considering the difficulty in maintenance for self-hosting SSL server, making use of known public web-hosting SSL servers is much more convenient. These servers and domains are often public, stable, and authorized. They have certificates which are often signed by Trusted Third Party (TTP) certificate authorities (CAs).By default, the Android OS will trust these certificates since these CAs are already pre-loaded into the system default truststore. Malware authors can fake their identity and host malicious services on these known web-hosting servers to provide encrypted connections with those infected devices.
For example, a malware detected as AndroidOS_Exprespam.A, hosts a malicious backend service on a well-known US web-hosting server, which also provides HTTPS connection with a certificate issued by RapidSSL CA.With the authorized certificate, the malicious app can simply upload stolen information to the server via HTTPS without the need to customize the TrustManager.
Figure 1. Certificate of the known server
Figure 2. Information is posted via HTTPS to the server
Known public services – Android malware can also take advantage of known public services for attacks. Based on our analyses, three types of application services are frequently exploited by Android malware: e-mail over SSL, Google Cloud Messaging (GCM) for Android, and popular social networks. By using known public services based on SSL, attackers can launch command-and-control (C&C) attacks easily and without calling attention to themselves.
The Abuse of Known Public Services
We have observed several Android malware exploit the aforementioned public services:
Use of email – ANDROIDOS_GMUSE.HNT pretends to be a file manager app. This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address.
Figure 3. Snippet of code including the Gmail account
Google Cloud Messaging – ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the stolen data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging.
Figure 4. Malware uses Google Cloud Messaging to track current location
Popular social networks – ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL.
Figure 5. ‘this.WILLIAM’ contains the crawled strings
The SSL (Dis)Advantage
There are several possible reasons why cybercriminals are using SSL. Compared to plaintext transmission, data sent through SSL cannot be easily uncovered. Some dynamic analysis methods based on TCP traffic monitoring may not work well.
Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like.
Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices.
We have notified Google about this issue.