Cybercriminals use Google Cloud Messaging service to control malware on Android devices

Kaspersky Lab researchers identified Android malware threats that receive commands from attackers through the Google Cloud Messaging service

Cybercriminals are controlling malware on Android devices through a Google service that enables developers to send messages to their applications, according to security researchers from antivirus vendor Kaspersky Lab.

Google Cloud Messaging (GCM) for Android allows developers to send and receive different types of messages to and from applications installed on Android devices. A developer can, for example, send messages that contain up to 4KB of structured data from a server the developer owns through a Google-run GCM server to all user installations of the developer's GCM-enabled apps. The applications don't even have to be running on user devices as the received messages will be broadcast by the Android OS and the targeted apps will be woken up.

The GCM message data can include links, text advertisements or commands, said Roman Unuchek, a senior malware analyst at Kaspersky Lab, Wednesday in a blog post.

Researchers from the antivirus company have already identified multiple Android malware threats that use GCM as a primary or secondary command-and-control channel.

One of them is called Trojan-SMS.AndroidOS.FakeInst.a and can send text messages to premium-rate numbers, delete incoming text messages, generate shortcuts to malicious sites and display notifications advertising other malicious programs as useful apps or games, Unuchek said.

Kaspersky found over 4.8 million installers for FakeInst.a to date and during the past year the company's mobile antivirus product blocked over 160,000 attempted installations of this Trojan program, the researcher said. FakeInst.a was detected in over 130 countries, but it primarily targets users in Russia, Ukraine, Kazakhstan and Uzbekistan, he said.

Another Android malware threat that uses GCM to receive commands and updates is called Trojan-SMS.AndroidOS.Agent.ao. This malware program is usually disguised as a porn app, but like FakeInst.a, its purpose is to send premium-rate text messages and display ads in the Android notification area.

"In total, KMS blocked over 6,000 attempts to install Trojan-SMS.AndroidOS.Agent.ao," Unuchek said. "This Trojan targets mainly mobile devices in the UK, where 90 percent of all attempted infections were detected."

Other Android malware programs that use GCM for command-and-control purposes and were identified by Kaspersky researchers include Trojan-SMS.AndroidOS.OpFake.a with over 1 million detected samples and 60,000 infection attempts, Backdoor.AndroidOS.Maxit.a with over 40 variants and 500 blocked installation attempts, and Trojan-SMS.AndroidOS.Agent.az with over 1,000 modifications and 1,500 attempted installations.

One problem with GCM is that neither users nor mobile antivirus programs can block malicious messages received through it because they are delivered by the OS itself, Unuchek said via email. "Antivirus software cannot block system activities."

The only way to block this channel of communication between virus writers and their malware is to block the developer accounts whose IDs are being used to register malicious programs with GCM, he said. "We have informed Google about the detected GCM IDs that are used in malware."

There isn't currently a large number of malware programs that use GCM, but those that do exist are widespread in some parts of western Europe, the Commonwealth of Independent States (CIS) and Asia, Unuchek said.

GCM seems to be a very cheap and easy instrument for cybercriminals to use, so it's likely the service could be abused to a greater extent in the future unless the bar for cybercriminals is not raised higher through countermeasures, the researcher said.

In addition to disabling developer IDs that are found to abuse the GCM service, it might also be a solution to actively analyze GCM messages for malicious content in a way similar to how intrusion detection systems analyze network traffic, Unuchek said.

Google did not immediately respond to an inquiry asking for information about the methods it uses to prevent malware writers from abusing the GCM service.

Tags mobile applicationsAndroid OSGooglesecuritymobile securitymobilekaspersky labmalware

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?