Mobile Malware Continues to Thrive

August 8, 2014

McAfee Labs has observed rapid mobile malware growth in prior quarters, and the first quarter of 2014 has been no exception. Most mobile malware theft occurs when attackers compromise the standard device application programming interfaces (APIs) to steal sensitive user information. Essentially, the attackers infiltrate the standard features within the mobile device platform with their malware. In recent instances, McAfee Labs researchers discovered that malware developers are also targeting legitimate apps and services for mobile devices.

Mobile Malware App Attacks
Researchers at McAfee Labs recently uncovered a dangerous Android app on the Google Play store called Android/BadInst.A. This app is particularly threatening because of its ability to automatically download, install, and launch other apps without user permission — a security measure usually required when installing Google Play apps. Allowing apps to bypass the user verification process can open a device to silent instillation of other dangerous malware without a user’s knowledge.

Android/BadInst.A gains device access by pulling a user’s account information and requesting the user authorize access to multiple Google services. Once access is granted, the app downloads, installs, and launches other apps from the Google Play store without any knowledge or approval from the user.

The communication protocol used between the app and the Google Play store is not documented; meaning this method of attack is not designed for third-party apps. McAfee Labs also knows that the Android/BadInst.A app can obtain and use authorization tokens for other Google services beyond the Google Play store. The app’s ability to access other services beyond the mobile device could lead to user information breaches and mimicked user actions within other Google accounts.

Digital wallet services are also at risk. Trojan Android/Waller.A exploits a flaw in the digital wallet service to take a user’s money, and interferes in the money-transfer protocol in the Visa QIWI Wallet. The malware tricks users into downloading it by masking itself as an Adobe Flash Player or other legitimate app, and is hidden from the home screen of a device once downloaded. Once it has access to a device, the malware searches for a digital wallet and transfers any money in the account to the attacker’s server.

Another Trojan known as Android/Balloonpopper carried out exploits through the popular messaging app WhatsApp. McAfee Labs researchers discovered that the malware appeared harmless by disguising itself as app BalloonPop, but instead stole conversations and photos stored on a user’s WhatsApp and sent them back to the attacker. While the WhatsApp vulnerability has been fixed, there is a strong likelihood that attackers will continue to create similar types of breaches.

Stronger Mobile Protection Is Necessary
As mobile malware becomes more sophisticated by leveraging legitimate apps and standard platform features to circumvent basic mobile security, it is clear that stronger protections are necessary. McAfee Labs believes that app developers need to protect their apps from unauthorized use, and app stores need to ensure that data access only comes from authenticated and authorized apps. These crucial precautions will help secure apps with higher privileges that deal with finances and other sensitive data. Basic user maintenance such as upgrading apps to fix security issues, avoiding unsafe apps, and denying permission to unfamiliar apps, will also go a long way in maintaining mobile security.