Security

Droidpak: A sneak attack on Android devices via PC malware

New Android banking malware leverages vulnerable PCs to install itself on Android mobile devices. Learn how to foil this latest exploit.

Symantec researchers have found what they are calling the first known example of Windows malware specifically designed to infect Android devices. “We’ve seen Android malware that attempts to infect Windows systems before,” mentioned Flora Lui, author of the Symantec post announcing Droidpak. “Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices.”

Exploits Windows first

Droidpak is a trojan designed to exploit the Windows operating system and gain a foothold on the victim’s computer. After Droidpak settles in, it contacts a remote command & control server. Then, according to Symantec SecurityResponse, the remote server sends a configuration file back to the infected Windows computer similar to the example below:

[http://]xia2.dyndns-web.com/iconf[REMOVED]

Notice the configuration file references a website. The infected computer tries connecting to the website. If successful, an Android malware file similar to the one below will begin downloading:

%Windir%\CrainingApkConfig\AV-cdk.apk(Android.Fakebank.B)

The remote server may also download tools, such as Android Debug Bridge in order to install the Android PacKage (APK) or other malware destined for the target Android device (phone or tablet) connected to the infected computer via a USB cable.

Success: Android.Fakebank.B installed

Several things have to happen in order for Droidpak to successfully install its payload—Android.Fakebank.B. We will look at those in a bit. First, let’s look at what the malware developers designed Android.Fakebank.B to do once installed as an application on an Android device.

Android.Fakebank.B will show up as a “Google App Store” application as shown in the slide below.

 

 

IS image.jpg
 Photo: Symantec
 

Once installed, Android.Fakebank.B looks to see if there are any mobile banking apps installed on the Android device. Symantec said the version of Android.Fakebank.B studied was specifically targeting Korean-banking applications. If Android.Fakebank.B finds a familiar banking app; it attempts to make the user believe the currently installed banking app is malware, should be removed, and replaced by Android.Fakebank.B. If the user agrees and loads Android.Fakebank.B, the malware is in position to steal login credentials and possibly account information when the user logs in using what is thought to be the correct banking app. 

Symantec mentions that, “Android.Fakebank.B also intercepts SMS messages on the compromised device and sends them to the following location.”

http://www.slmoney.co.kr[REMOVED]

Users need to agree

Now it’s time to talk about what needs to happen for Droidpak/ Android.Fakebank.B to be successful. Users must agree to install any program on an Android device. This is where social engineering comes into play, and we all know the bad guys are getting good at it.

Symantec, and other Android experts, I talked to, suggest turning off USB debugging on Android devices. Most people will not use USB debugging as it’s a developer tool, and used to sideload Android applications from a computer—why Droidpak works. This link explains how to disable USB debugging.

The Android experts also said they would be remiss for not mentioning the importance of having AV applications on both computers and Android devices. With Droidpak unmasked, AV companies will have their products looking for it.

Just released AV-Test results

Speaking of antivirus applications for Android, Andreas Marx, CEO of AV-TEST Institute, just sent me the latest Android antivirus app test results. Marx wrote, “30 Android security apps were tested: only two products failed in our latest review against 2,191 malicious apps.”

In the email, Marx included what he considered to be key elements of the latest test:

  • The average malware protection rate was 96 percent (almost 1 percent less than last review).
  • Only four security apps created false positives on our test systems, two out of them related to clean Apps from Google Play (Comodo and Panda), two more from 3rd party App stores (AegisLab and AhnLab).
  • Features offered by the free and paid-for security apps differed significantly. Therefore, we recommend a close review of security features like anti-theft, backup and encryption.

The test results will show up on the AV-TEST website today, Feb. 3.

Final thoughts

Several things have to go right before the Droidpak/Android.Fakebank.B malware combination can successfully steal banking information, but that was also the case with the first versions of banking malware targeting PCs. Now, Zeus and Neverquest are highly successful banking malware.

I would prefer to be wrong, but due to the popularity of mobile devices and the number of banking apps: I’m afraid bad guys are going to make sure malware like Droidpak succeeds.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

7 comments
dhayfule
dhayfule

What about turning OFF the Security option "Allow install from unknown sources" in Android System Settings? Does this ensure that such (unknown) application doesn't get installed? Also I am a Desktop Linux User, and connect my Linux Desktop to my Device through USB. Do I have to worry about the malware infections?

Jaytmoon
Jaytmoon

Do any of the Android security apps protect the user from this exploit?

Michael Kassner
Michael Kassner

To avoid confusion, I wanted to point out something I was remiss in mentioning in the article. In the screen shot, the app circled in red is called "Google App Store" and that is the icon of the malware. The real app looks similar, but is called "Play Store." The bad guys are hoping users will not notice the difference. Thanks, Joesph for reminding me.

PhilippeV
PhilippeV

@dhayfule  the "unknown sources" are most often the competitors of Google Play. Most of them are crap, but some of them are needed for specific apps of the device itself.


Samsung for example has its own appstore: but don't use it for something else than Samsung apps...

There are however independant APK stores for opensource projects that you will never find on Google Play because Google refuse to host them on its store (this includes many apps for dating sites featuring porn photos, but not only that, there are also apps for which Google wants to high payments for small open sourced projects).


Also Google does not want you to install some usefulful things on your Android device, such as many fonts (even if you have valid licences for using them on our device). This is still a problem for communities that want better support of their language and script.

Michael Kassner
Michael Kassner

@Jaytmoon  


That is a good question. I will ask Andreas if he is looking into this. If anyone would know he would.

stevec303
stevec303

@Michael Kassner - Excuse my naivety, but why haven't they made the icon a carbon copy of the real Play Store icon?