Summer 2017's Most Common Android Malware
« Back to Blog

Summer 2017's Most Common Android Malware

By Kim Crawley

Android malware is no joke. Its prevalence has exploded ever since HTC Dream, the first commercial Android phone, launched in 2008. G Data Security identified 1,192,035 new Android malware samples in 2013, and 3,246,284 new Android malware samples in 2016. That's about 2.7 times as many samples in 2016 as they had three years before. They expect 3,500,000 new Android malware samples by the time 2017 is over.

Clearly, endpoint security for Android devices is vital and they should all be running updated antivirus (AV) software whether for personal or enterprise use. But we know that devices aren’t always as up to date as they should be, and that’s been a problem historically with Android devices, in particular.

On July 17, Check Point Software released a rather interesting report. Its focus was “malvertising campaigns,” but what really caught my attention is the three common Android malware families that they refer to as their top three “most wanted” mobile malware. I decided to take a closer look at them.

Hummingbad

Hummingbad is the big one. According to Check Point, it accounts for over 72% of all mobile infections. Check Point first discovered it in February 2016. It often appears on devices via a drive-by download attack. Check Point identified payloads on adult content sites, but other types of webpages and Internet resources are delivering payloads as well. One component tries to acquire root privileges on its own. Failing that, a second component tries to acquire root with a fake system update notification.

Whether or not its privilege escalation attack is successful, Hummingbad and its variants will try to download as many malicious apps as possible to a user's device. One malicious component known as SSP installs malicious apps and displays illegitimate ads. Device booting, connectivity changes, and turning the screen on or off are all triggers for SSP. SSP wants to know that a user is present. Like ransomware, Hummingbad really wants a user's attention - it's not covert malware at all. Ad networks used by Hummingbad include Cheetah, Startapp, Mobvista, and Apsee.

Hummingbad delivers ads that have a close button. Of course, the close button is designed to fool the user. The malware prevents the user from being able to return to their home screen or go back. If the user touches the ad's close button, the button will react like a non-malicious close button but will actually trigger more malicious APK installs. Ouch!

Hummingbad also messes with Google Play. SSP injects a malicious library into a user's Google Play process. Then the malware can imitate clicks on buy, install, and accept buttons.

Check Point was able to trace Hummingbad to a Chinese company, Yingmob. In July 2016, Check Point estimated that the advertising company makes about $300,000 USD per month.

Hiddad

Hiddad presents itself as a series of trojan Android apps that have been found in the Google Play Store. When Google discovers Hiddad trojans, they remove them from their store as soon as possible, but it's a constant cat and mouse game.

Apps that have been discovered as Hiddad trojans include Music Mania, Subway Sonic Surf Jump, and supposed YouTube content downloaders tube.mate and Snaptube. Hiddad trojans will likely take many more forms in the future. App droppers associated with Hiddad load ad display components, and spoofs a system plugin that requires root.

Lotoor

Lotoor's a tricky one. Often Android users want to root their Android devices, and they use programs like Kinguser and Kingroot to do the job. I, personally, have rooted my own Android devices over the years, even though I've used different software to do so.

But for obvious reasons, cyber attackers also want to root their target's Android devices in order to cause harm. Kinguser and Kingroot are often identified as Lotoor by AV software, as are Lotoor exploit kits used to root without user authorization.

Conclusion

Fighting Android malware takes a combination of efforts. All Android devices should run AV software, but zero day attacks and malware that otherwise evades signature-based detection is on the rise, and Android AV software needs to adapt to employ heuristics these days including machine- learning techniques.

As much as possible, users should configure their Android devices to only accept APKs from the Google Play Store. I've dabbled in Android development and I've personally needed to enable APKs from outside sources in order to test my own apps, but I'm also a very cautious cybersecurity professional. Unless a user is a lot more knowledgeable about security than a typical end user, Android devices should be configured to only accept APKs from the Google Play Store.

Google Play Store does do a good job of blacklisting malware in their store, but it’s difficult to keep up with all the new apps that come into their marketplace on a daily basis.

For managing employee devices, I would definitely suggest to administrate all Android endpoints to only accept APKs in order to protect corporate data from employees who may not realize how much danger their ‘innocent’ downloads can present to their company.

The final component is end-user education. Teach users about social engineering attacks, especially how trojans can appear on the Android platform. Remind users that if they see anything suspicious such as an explosion of intrusive ads, all such incidents should be reported.

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

Tags: