Last week, we talked about the OBAD Android malware, which installed itself as an administrator on the device and used a vulnerability in Android to hide this fact from the user.

One effect of this particular behavior was to make removal of this threat very difficult. Apps that have set themselves up as administrators require user interaction to remove: but because the vulnerability hides the app, it can’t be removed.

In response to this threat, we have created the Hidden Device Admin Detector app. This tool’s purpose is simple: it allows users to keep track of and disable apps that have device administrator privileges but are hidden from Android Device Administrator list.

Most apps do not need to these device administrator privileges. One can think of them as being analogous to holding root access on a Linux/Unix machine, or having administrator access on Windows. It gives you complete control over the machine. Most apps do not need this level of access; this is why the user has to be prompted to enable these privileges. Apps that do require these privileges include security apps (like Trend Micro Mobile Security) and system administration apps that may be used in BYOD situations.

When run, the app will display the apps with administrator privileges that exploit this vulnerability to hide themselves:

Figure 1. Hidden Device Admin Detector app

From here, users can disable the privileges. Malicious apps with disabled administrator privileges can be removed normally, either by security products or the user.

Android does contain this feature as well, but because of the above vulnerability the list it provides may not be complete. Google may patch the vulnerability in the future, but the complicated Android update situation means many users will never get the patch. We recommend that all users download this app and periodically check for malicious apps on their Android devices.

You can download the app by going to the Google Play app store.

Just days after its release on the Apple App Store, some sites are already offering their own dubious versions of Temple Run 2 for Android.

With 20 million downloads just 4 days after its release on the Apple App Store, Temple Run 2 is indeed highly-anticipated among Temple Run fans and gaming fanatics. While the Android version of the game is scheduled for release this Thursday, we already found certain websites peddling what appears to be Temple Run 2 for Android.

We downloaded a supposed Temple Run 2 app and analyzed it. Luckily, the apps (detected by Trend Micro as ANDROIDOS_FAKETEMPLRUN.A) do not exhibit any noteworthy malicious routines. However, they do send ad notifications to users. And to rub salt to wound, both apps do not run the actual Temple Run game.

We also noticed other sites that offer Temple Run 2. Looking closely at the description of one of these sites, the developer posted a disclaimer about the app. Though the site does not exhibit any harmful routine, the use of Temple Run 2 to persuade users to download the “wallpaper” app (some sites offer a puzzle app, among others) is quite suspect.

Read the rest of this entry »

Recently, we found that Android’s debugging feature could be used to steal information from apps running on an Android device. We won’t go into the full details of the problem here, but here is the short version: with some effort, an app can be set up on Android to debug another running app. This debugging app would have access to all the information the debugged app has, so items like user names and passwords are trivial to steal.

Before we go any further, however, we need to be clear what versions of Android are affected. This vulnerability is only in version 2.3 (Gingerbread) or earlier. Practically all Android devices sold today run newer versions, as Gingerbread was last updated in September 2011. However, Google’s own numbers indicate that more than half of all Android devices in use still run these potentially older versions of Android.

In a way, this problem serves as a microcosm of the issues surrounding the entire Android ecosystem. Let’s divide the ecosystem into three parties: app developers, Google and telecom companies, and end users. What can each segment do?

App developers

In this particular instance, for an app to be vulnerable to being debugged it has to have been set to be debuggable in the first place. In general, debuggable versions of apps should not be released to the public. (Approximately 5% of apps in the Top Free apps list are set to be debuggable, so the risk is not insignificant.)

In general, however, “best practices” for mobile apps may not be as set in stone as they are for desktop applications. It would be a good idea for mobile developers to consider the security of their apps, not just their features and ease-of-use.

Read the rest of this entry »

We recently encountered ANDROIDOS_SMSZOMBIE.A, an Android Trojan targeting China Mobile subscribers that takes control of a device’s SMS functionality. It can send, forward, and drop SMS messages. What makes this more troubling for users is the fact that this malware is difficult to uninstall. A dedicated removal tool will be released to Google Play and Chinese app stores next week.

As other researchers have noted, this Trojan takes advantage of a vulnerability in the China Mobile SMS payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.

How does this threat arrive on user devices? It is usually wrapped by a wallpaper app. Once installed, it can be enables by clicking Menu > Wallpaper > Live Wallpapers.

After the live wallpaper has been enabled, the user is asked to install the Trojan (which is described instead as a “game”, complete with 100 free points).

Once installed, the malware will ask to activate itself as a device administrator. The malware claims that by doing this, it will save power. If the user clicks the cancel or return buttons, the alert appears again. Only after the Trojan has been activated as a device administrator, will it let the user return to their main screen.

As previously mentioned, this particular Trojan is quite difficult to uninstall. Using Android’s own uninstall function simply redirects the user to their home screen, without an opportunity to select the app to be uninstalled. Even if a third-party app is used in an attempt to uninstall the Trojan, it can’t be removed because it’s still active as a device administrator. If the user pushes through with the attempt to deactivate it as an administrator, the Trojan will say that deactivating it will cause system errors. If the user deactivates it, the Trojan will keep prompting the user to reactivate it again.

App Payload

What does this app do once it is installed on the user’s device? When first run, it sends the app version and device information (model, OS, language, network) to a “control number” via SMS.

Once running, it has the following capabilities:

• Forward every received SMS message
• Drop SMS which contains words in a configurable list
• Send SMS messages
• “Write” an SMS message into the inbox

All of these capabilities are controlled via SMS messages sent by the attacker to the device. These instructions are all in the following XML format:

For example, if the attacker wants to send a SMS from the infected device to China Mobile, he can send the following content to the device:

<con>11</con><rep>10086</pre><M></M>

Configuration files are in XML format as well:

This particular file shows the default control number, default content keywords (转, 卡号, 姓名, 行, 元汇, 款, hello), and default number keyword of “10″.

How does this app prevent itself from being uninstalled? It does the following actions to do this:

• The wrapper app will check the Trojan’s state. If the Trojan is uninstalled the wrapper app will ask the user to install the Trojan. Alternately, if the Trojan is stopped, the wrapper will restart the service.
• If any of the Trojan’s service are stopped, it will start the service again.
• If any of the following are opened, the user will be returned to their home screen:
  • Device administrator settings
  • Trojan’s application detail
  • The app 360safe
• If the Trojan is not active as a device administrator, it will keep asking to be activated as such.
• When the Trojan is deactivated from being a device administrator, the user is led to believe that deactivating it will cause errors.

Here are the steps you need to perform to manually uninstall this malware:

1. First of all, uninstall the wrapper wallpaper app.
2. Use a third-party app to terminate android.phone.com.
3. Deactivate the Trojan from being a device administrator. Ignore any warnings by pressing the home button.
4. Terminate android.phone.com again.
5. Uninstall the Trojan normally.

To automate the above process, Trend Micro will release a dedicated detection and removal app. We will update this post with a link to the said tool once it has been released.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

We’ve reported previously that malicious apps were discovered in the official Android app store, which is now known as Google Play. While those reported apps were removed, more malicious apps have been seen in the official marketplace and appear to be still victimizing users. This is just one of the important reasons why we feel that a technology like our Trend Micro Mobile App Reputation is crucial in users’ overall mobile experience and security.

In total, we have discovered 17 malicious mobile apps still freely downloadable from Google Play: 10 apps using AirPush to potentially deliver annoying and obtrusive ads to users and 6 apps that contain Plankton malware code.

Among them, one app which explicitly describes itself as a spying app has also been flagged as a threat by Trend Micro due to its potential for misuse. This particular threat is known as ANDROIDOS_PDASPY.A. Its Google Play page makes it clear what its purpose is:

The attacker must initially install and set up this particular app onto the target phone, as can be seen in the following screenshots:

Its capabilities include tracking a phone’s location, phone calls, and messages. Once the attacker presses the “Save & Start” button, the attacker can then track the device via the website given:

Most of these apps have been downloaded several thousand times. The above PDASpy app appears to have been downloaded more than 100,000 times. Collectively, the detected apps have been downloaded more than 700,000 times. Users not running any mobile security app may be victimized by annoying ads (AirPush) or the apps’ (Plankton) malicious connections to remote C&Cs.

We discovered these apps as part of our Mobile App Reputation efforts. We continuously monitor both official and third-party app stores for both newly uploaded and popular apps and check for the behavior of these apps. We look not just for malicious behavior, but also bandwidth-consuming and battery-consuming routines.

Trend Micro Mobile Security Personal Edition is capable of detecting the threats we mentioned above.

Related:

• Read up about mobile malware information from the Mobile Threat Information Hub
• Watch the Mobile App Reputation video on the CTO Insights blog
• Read about the Trend Micro Mobile App Reputation

Update as of 1:59 AM PST

Google already removed some apps cited on this blog post. We will continue to monitor this case and update this entry for any progress.