Cybercriminals are controlling malware on Android devices through a Google service that enables developers to send messages to their applications, according to security researchers from antivirus vendor Kaspersky Lab.
Google Cloud Messaging (GCM) for Android allows developers to send and receive different types of messages to and from applications installed on Android devices. A developer can, for example, send messages that contain up to 4KB of structured data from a server the developer owns through a Google-run GCM server to all user installations of the developer’s GCM-enabled apps. The applications don’t even have to be running on user devices as the received messages will be broadcast by the Android OS and the targeted apps will be woken up.
The GCM message data can include links, text advertisements, or commands, said Roman Unuchek, a senior malware analyst at Kaspersky Lab, Wednesday in a blog post.
Researchers from the antivirus company have already identified multiple Android malware threats that use GCM as a primary or secondary command-and-control channel.
One of them is called Trojan-SMS.AndroidOS.FakeInst.a and can send text messages to premium-rate numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other malicious programs as useful apps or games, Unuchek said.
Kaspersky found over 4.8 million installers for FakeInst.a to date and, during the past year, the company’s mobile antivirus product blocked over 160,000 attempted installations of this Trojan program, the researcher said. FakeInst.a was detected in over 130 countries, but it primarily targets users in Russia, Ukraine, Kazakhstan, and Uzbekistan, he said.
Another Android malware threat that uses GCM to receive commands and updates is called Trojan-SMS.AndroidOS.Agent.ao. This malware program is usually disguised as a porn app, but like FakeInst.a, its purpose is to send premium-rate text messages and display ads in the Android notification area.
“In total, KMS blocked over 6,000 attempts to install Trojan-SMS.AndroidOS.Agent.ao,” Unuchek said. “This Trojan targets mainly mobile devices in the UK, where 90 percent of all attempted infections were detected.”
Other Android malware programs that use GCM for command-and-control purposes and were identified by Kaspersky researchers include Trojan-SMS.AndroidOS.OpFake.a with over 1 million detected samples and 60,000 infection attempts, Backdoor.AndroidOS.Maxit.a with over 40 variants and 500 blocked installation attempts, and Trojan-SMS.AndroidOS.Agent.az with over 1,000 modifications and 1,500 attempted installations.
Not blockable by users or antivirus programs
One problem with GCM is that neither users nor mobile antivirus programs can block malicious messages received through it because they are delivered by the OS itself, Unuchek said via email. “Antivirus software cannot block system activities.”
The only way to block this channel of communication between virus writers and their malware is to block the developer accounts whose IDs are being used to register malicious programs with GCM, he said. “We have informed Google about the detected GCM IDs that are used in malware.”
There isn’t currently a large number of malware programs that use GCM, but those that do exist are widespread in some parts of western Europe, the Commonwealth of Independent States (CIS) and Asia, Unuchek said.
GCM seems to be a very cheap and easy instrument for cybercriminals to use, so it’s likely the service could be abused to a greater extent in the future unless the bar for cybercriminals is not raised higher through countermeasures, the researcher said.
In addition to disabling developer IDs that are found to abuse the GCM service, it might also be a solution to actively analyze GCM messages for malicious content in a way similar to how intrusion detection systems analyze network traffic, Unuchek said.
Google did not immediately respond to an inquiry asking for information about the methods it uses to prevent malware writers from abusing the GCM service.