Drive-by Download, Twitter Botnet & Photo-Bombing Trojan Mark New Android Malware

September 4, 2012

The Android OS is the most popular target for developers of mobile malware, with practically all new mobile malware directed at the Android platform, raising the challenge for mobile security providers. The mix includes short message service (SMS) sending malware, mobile botnets, spyware, and destructive Trojans.

The growth in Android malware is unprecedented — and several new types have appeared. Here’s a look at a few of the new threats:

This drive-by download attack is similar to drive-by installations on the PC — simply visiting a site infects your computer. Mobile drive-by downloads can also drop malware on a phone when visiting a site; however, a victim still needs to install the downloaded malware. But when an attacker names the file “Android System Update 4.0.apk,” suspicions can vanish.

This new botnet uses Twitter for control. Instead of connecting to a web server, the malware searches for commands from specific attacker-controlled Twitter accounts. The attacker can tweet commands and all infected devices will follow them. Using a service such as Twitter allows an attacker to leverage the resources of others without paying for a dedicated server or stealing one that belongs to a victim. Internet relay chat servers have been exploited in the past for similar reasons, but using the web service gives attackers a small measure of anonymity.

Android/Moghava.A is a Trojan that corrupts all photos on an SD card. Android/Stamper.A is a new variant that uses a different picture and targets fans of a popular Japanese singing group. The image is from a “What would your baby look like?” competition. Android/Stamper.A is very similar to Android/Moghava.A — the only difference is the image that overwrites the victim’s photos. Fans expecting to get results from the pop group’s fan elections instead have all their pictures photo-bombed by the image of a baby.

If much of Android malware seems similar to PC malware, it should come as no surprise. Malware developers leverage the expertise they honed during the years of writing malware for other platforms. Mobile malware is certainly not proof-of-concept or early code. It is fully functional and mature, and mobile malware writers know what they are looking for — consumer and business data.