How sophisticated is the current crop of Android malware?

Much has been publicised recently about the threat of Android malware, including my earlier post of an Android storm warning. The question is: How sophisticated is the current crop of Android malware? I address this question here by evaluating the Stels trojan which appeared recently. I will assess the sophistication of Stels on four elements, and give it a subjective score out of five for each (with 1 being very unsophisticated and 5 very sophisticated):

a) Distribution mechanism
Stels has been distributed through spam email sent by the Cutwail botnet. Some of the spam consists of a fake IRS warning prompting the user to download IRS forms. If the email link is clicked from a PC, it is directed to a page which uses the blackhole exploit kit to carry out a drive-by download of malware. If the email is clicked from an Android device, the user is prompted to install a fake Adobe Flash Player update comprising the Stels trojan.

How sophisticated is this? Well, distribution is fairly widespread as Cutwail is one of the largest botnets around. Cutwail was fairly successful in spreading Zeus. Would users fall for the IRS scam? Undoubtedly many still would.

Score for distribution mechanism: 3 (out of 5)

b) Installation
User interaction is required to install Stels. Firstly, the user is prompted to install the fake Adobe Flash Player update. The user is alerted by the OS that the application has access to directly call phone numbers, send and receive SMS messages, and read the call log and contacts. In addition, the user also needs to enable the “Unknown sources (Allow installation of non-market applications)” setting on the phone.

Installing what the user believes to be an Adobe update would trick many users, and many users would not be concerned by the alerts to the application’s functionality. However changing the phone setting to allow non-market applications could alert some that there is something amiss.

Score for Installation: 1

c) Likelihood of detection
Once installed, an icon is placed on the desktop. The icon is the Adobe Flash Player icon, so is convincing. However the name of the application below the icon is: “APPNAME”. Clearly proper QA procedures were not followed during the software development life cycle of this malware. The malware developer was obviously in too much of a hurry to get the malware distributed.

Once installed, the malware runs as a background service. This would unlikely raise concerns to many Android users.

Stels was tested against 44 antivirus solutions at VirusTotal. None picked up that Stels is malicious.

So, we have mixed results in terms of likelihood of detection. Silly errors by the developer make it easy to spot by an alert user. However none of the antivirus solutions picked it up.

Score for likelihood of detection: 2

d) Payload
Once installed, it packs a powerful punch. The Stels trojan has the following capability:
– Harvest the contact list
– Send SMS messages
– Intercept incoming SMS messages (this can be potentially used to break mTAN banking i.e. bypass two factor authentication)
– Make phone calls (including to premium numbers)
– Download and install additional malware
– Uninstall applications

The stolen data is sent to a command and control server.

Score for payload: 4

Summary
In terms of sophistication, the Android Stels trojan is a mixed bag. Anecdotal evidence suggest that users are likely to be less vigilant about installing malware on their Android phone than on their PC. There are elements which would reduce Stels’ number of successful installations, some simple to improve. However, once installed, the malware packs a powerful punch. More information, including screenshots of Stels, is here.

Total score (out of a possible 20): 10
Please note that this is simply a subjective, unscientific score.

Android malware is still in it’s infancy. We are bound to see an increase in sophistication of mobile malware in the near future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: