Chapter 1: Android Malware Starters Pack

Android, an operating system developed by Google, has become a staple in our lives, powering smartphones, car systems, tablets, and much more. With over 70% of the mobile OS market share and embedded in over 1.5 billion devices worldwide, the Android platform is an enticing target for threat actors.

Mobile devices, Android included, are a great target for threat actors, especially in the BYOD (Bring-Your- Own-Device) era where work-life balance is mashed up in the digital sphere, possibly making mobile a preferable option over a PC. State-sponsored and financially motivated threat actors invest extensive (and expensive) resources into developing mobile malware and speared campaigns.

This is the first of three chapters in which we will learn about the Android malware threat to individuals and organizations. The main goal of this chapter is to detail the fundamentals of mobile threats, particularly Android, and to understand what’s under the hood of Android malware, how severe the threat is, and what security measures one should take to prevent infection.

The subsequent chapters will focus on threat intelligence-driven insights and technical deep-dives.

Understanding the landscape’s basics in this intro is essential for future understanding.

The Appeal of Android to Malicious Actors

At first glance, PCs might seem like the prime targets for cyber threats. However, the unique combination of personal and professional data in mobile devices makes them especially enticing. Unlike PC spyware, which often limits attackers due to strict organizational policies and extraction of session cookies and credentials, mobile devices offer a more holistic view of an individual’s life.

This can range from mundane daily routines to highly sensitive data, including personal information, real-time GPS locations, banking information, and Multi-Factor-Authentication (MFA) methods. This multifaceted information can fuel everything from identity theft to corporate espionage.

Extracting data or gaining hold of a phone is a critical scenario for individuals and organizations as the phone contains all our most sensitive data and even work-related authentication methods, alongside highly sensitive organizational data.

One example, and one of the most common techniques used by Android stealers, is SMS interception. This helps threat actors evade MFA and leaves the user vulnerable to the threat actor’s actions. In addition to SMS interception, some Android malware can fetch authentication application codes to bypass the MFA mechanism.

Critical mobile vulnerabilities might generally comprise a one-stop-shop for attackers—one place to rule it all. Nonetheless, such vulnerabilities are less common and thus expensive, up to 2.5 times the cost of the same vulnerability type affecting PCs.

Understanding the Android App Ecosystem

Native & Third-Party Applications

Every Android device comes equipped with a set of pre-installed apps designed to facilitate essential functions. However, to customize and enhance their experience, users turn to platforms like the Google Play Store and Galaxy Store. While these platforms benefit from Google Play Protect—a mechanism that scans apps for malicious behavior—threat actors often deploy ingenious methods to bypass these checks, camouflaging their malware as genuine, often popular, such as social media, VPNs, and security-related applications.

External Sources & Side-Loading

Geographical restrictions or the allure of modified apps often drive users to seek apps outside the official
platforms. Known as side-loading, this process, while underscoring Android’s flexibility, is also a significant
vulnerability. Alternative app stores, which often lack stringent security protocols, are fertile ground for
malware distribution.

How Malware Reaches Your Device

There are many ways for malware to infiltrate a device, some paths seem safer than others, and can even fool veteran users.

Four primary delivery methods for Android malware:

1. The Illusion of Safe Havens – Official App Stores
   For many, official app stores are perceived as areas of trust. Malicious actors exploit this trust by embedding malware within seemingly legitimate apps. The sheer volume of apps on these platforms can sometimes make careful vetting challenging, allowing malware to slip through.
2. The Wild West – Alternative App Stores
   These platforms, rich with apps that are either modified or unavailable on official stores, are unchartered territories. The absence of security checks provides a welcoming environment for malware to thrive and propagate.
3. Social Engineering – Phishing/Smishing
   Leveraging the human element, threat actors deploy deceptive tactics. An innocent-looking SMS (smishing) or a seemingly genuine email (phishing) may lure users into a trap, often leading to malware downloads.
4. The Invisible Threat – Exploits
   Sophisticated exploits represent one of the most potent threats. They leverage vulnerabilities within the software, offering attackers a silent entry into devices. The fact that almost 900 out of over 6,300 recorded Android-related vulnerabilities were identified in 2023 alone underscores the gravity of this threat.

Threat Actors & Their Malware Arsenal

State-Sponsored Attacks

State-sponsored attacks are coordinated campaigns often backed by nation-states, targeting specific sectors or geopolitical adversaries. Countries like Iran, China, and Russia have been particularly active. For instance:

• SpyNote by APT34: Originating from Iran, this malware has evolved to be capable of committing bank frauds, eavesdropping on conversations, bypassing 2FA, and even tracking user locations. Its distribution primarily relies on phishing campaigns.
• Infamous Chisel by Russia: This malware, targeting Ukrainian Android devices, is believed to extract a
  blend of data ranging from general system information to specifics tied to the Ukrainian military.
• BadBazaar by China: The BadBazaar spyware campaign orchestrated by the Chinese APT group GREF, this campaign was previously used to target ethnic minorities in China and has recently been expanded to users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States. The campaign led to siphoning off vast amounts of user data.

Financial Attacks

Monetary gain remains a compelling motivator. Malicious actors seeking financial rewards, craft banking campaigns to profit from misled users.

• MMRat, an undocumented Android banking trojan, has been targeting Southeast Asian mobile users since June 2023. This malware can remotely control victims’ devices and carry out financial fraud. Targets include Indonesia, Vietnam, Singapore, and the Philippines, demonstrating the growing sophistication of Android malware.
• In March, Nexus, an Android banking trojan, was used by threat actors to infiltrate 450 financial applications and steal data. The malware displays a broad range of capabilities to attack over 200 mobile banking, cryptocurrency, and other financial apps. The malware is advertised as a subscription service with a monthly fee of $3,000. The authors have excluded countries like Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.
• Anubis is one of the prominent banking Trojans that targets Android users and aims to steal banking information, leading to financial loss and data theft. Novel Android spyware uses Anubis’ strong mechanism in their spyware. Anubis is often spread through deceptive websites and infected mail attachments.

Detection & Prevention

With the expansion of Android devices and the growing threats they face, ensuring their security is vital.

The following could keep you safe:

• Regularly check for system and app updates, prioritizing them as they become available.
• Always download apps from trusted sources. Avoid side-loading apps from third-party stores.
• Review app permissions. Look for red flags (i.e. Sensitive permissions for unclear reasons).
• Never click on suspicious links in an email or SMS. Cross-check with known official communication
  channels if in doubt.
• Install a reputable mobile security app and keep it updated.
• Back up device data to secure cloud storage or physical storage regularly.
• Ensure Google Play Protect is enabled in settings.
• Enable 2FA for accounts that offer it, particularly for sensitive accounts such as email or banking.
• Avoid public Wi-Fi for sensitive transactions. If necessary, use a VPN.
• Knowledge is power. Awareness of recent threats or vulnerabilities helps with timely protection.

Stay tuned for the second chapter, in which we will do a deep dive into Android Threat Intelligence