Android Malwares History
PHAs, or Potentially Harmful Applications, are a type of malware that can harm users or their devices. PHAs can perform various malicious actions, such as stealing personal information, displaying unwanted ads, sending spam messages, or downloading other harmful apps without the user’s consent.
Android is one of the most popular operating systems in the world, with over 3 billion active devices. However, this also makes it a target for cybercriminals who want to exploit its vulnerabilities and distribute PHAs. In this blog post, we will explore the history of Android PHAs, how they have evolved over time, and what Google is doing to protect users from them.
The first Android virus: FakePlayer
In August 2010, the first wild Android malware was reported by Denis Maslennikov, an employee of Kaspersky. Disguised in a media player application, FakePlayer was sending SMS messages to the numbers 3353 and 3354, with each message costing about $5. The app did not require any special permissions to run, and it was distributed through third-party websites and forums. FakePlayer was the first SMS malware that affected Google’s Android operating system, and it marked the beginning of a new era of mobile threats.
SMS Trojans and Fake Antivirus
The first Android PHAs appeared in 2009 in official store, shortly after the launch of the Android Market (now Google Play). These were mainly SMS Trojans and Fake Antivirus apps. SMS Trojans would send premium-rate text messages from the infected device without the user’s knowledge, generating revenue for the attackers. Fake Antivirus apps would pretend to scan the device for viruses and then ask the user to pay for a fake or ineffective service.
These PHAs were relatively easy to detect and remove, as they often required the user to grant them permissions that were not related to their functionality. For example, a wallpaper app that asked for permission to send text messages was clearly suspicious. Moreover, Google introduced several security features in Android and Google Play to prevent these PHAs from spreading, such as blocking premium-rate SMS numbers, verifying app signatures, and scanning apps for malware.
The rise of Rooting and Ransomware PHAs
In 2012, a new type of PHA emerged: Rooting PHAs. These were apps that exploited vulnerabilities in the Android system to gain root access to the device. Rooting is a process that allows users to modify the system settings and install custom ROMs or apps that are not available on Google Play. However, rooting also exposes the device to security risks, as it bypasses the Android security model and gives full control to any app that has root privileges.
Rooting PHAs would use root access to perform various malicious actions, such as installing other PHAs, displaying ads on the lock screen or notification bar, changing browser settings or bookmarks, or stealing personal data. Some Rooting PHAs would also hide themselves from the user and make it difficult to uninstall them.
Another type of PHA that became more prevalent in 2012 was Ransomware PHAs. These were apps that would lock the device or encrypt its data and then demand a ransom from the user to restore access or decrypt the data. Ransomware PHAs would often use scare tactics to trick users into paying, such as displaying fake messages from law enforcement agencies or threatening to delete the data.
These PHAs were more sophisticated and harder to detect and remove than the previous ones, as they often used encryption or obfuscation techniques to evade analysis and detection. Moreover, they often exploited social engineering or phishing methods to lure users into installing them, such as disguising themselves as legitimate apps or sending fake notifications or emails.
Google’s response: Google Play Protect and SafetyNet
To combat these new threats, Google developed and improved several security solutions for Android and Google Play. One of these was Google Play Protect, a service that scans over 100 billion apps per day for malware and removes harmful apps from devices and Google Play. Google Play Protect also warns users about potentially harmful apps that are downloaded from other sources and provides them with options to uninstall or disable them.
Another solution was SafetyNet and Play integrity, a set of APIs that allow developers to check the security status of devices and apps. SafetyNet can detect if a device is rooted or compromised by malware, if an app is tampered with or contains malicious code, or if an app is trying to perform risky actions such as accessing sensitive data or sending SMS messages. Developers can use SafetyNet to prevent their apps from running on unsafe devices or block malicious apps from accessing their services.
Overview of the Play Integrity API | Google Play | Android Developers
The current state of Android PHAs: Banking Trojans and Ad Fraud
Despite Google’s efforts, Android PHAs are still evolving and posing new challenges. One of the current trends is Banking Trojans, which are apps that target users’ financial information and accounts. Banking Trojans can steal credentials, intercept SMS messages, display fake login screens, or redirect transactions to fraudulent accounts. Banking Trojans often use sophisticated techniques such as overlay attacks, keylogging, screen recording, or injection attacks to bypass security measures and deceive users.
Another trend is Ad Fraud, which are apps that generate fake clicks or impressions on ads to generate revenue for the attackers. Ad Fraud apps can use various methods such as bots, proxies, emulators, or hidden webviews to create artificial traffic and inflate ad metrics. Ad Fraud apps can also harm users by consuming their battery life, data usage, or device resources.
The rise of mobile Trojans: Joker and Face stealer
Since then, Android malwares have evolved and diversified, adopting various techniques and tactics to infect devices and steal data. One of the most common types of Android malwares are Trojans, which are malicious apps that hide their true intentions behind legitimate-looking functionalities. Trojans often require user interaction to be activated, such as downloading an update or granting permissions.
One of the most notorious Android Trojans is Joker, which stealthily takes out paid subscriptions for the user without their consent or knowledge. Joker has been active since 2017, and it has been found in hundreds of apps on Google Play and other sources. Joker uses various methods to evade detection, such as injecting small pieces of malicious code into harmless apps, encrypting its payload, or using dynamic loading techniques.
Joker Malware Apps Once Again Bypass Google’s Security to Spread via Play Store
Another example of a dangerous Android Trojan is Facestealer, which specializes in stealing Facebook credentials from unsuspecting users. Facestealer was discovered in 2021, hidden in several apps on Google Play that offered photo editing features. Facestealer used a phishing technique to trick users into entering their Facebook login details on a fake page that mimicked the social network’s interface. Facestealer also had the ability to access other apps on the device, such as WhatsApp and Instagram.
Android password-stealing malware infects 100,000 Google Play users
The challenge of mobile adware: APKPure and FMWhatsApp
Another type of Android malware that poses a significant threat to users is adware, which is malicious software that displays unwanted and intrusive advertisements on the device. Adware can also collect personal information, consume battery and network resources, or redirect users to malicious websites.
One of the trends in 2021 was the introduction of malicious code in third-party ads modules, which developers of various useful apps often plug in to monetize their work. For example, last spring cybercriminals used a malicious advertisement SDK to infect APKPure, a popular alternative Android app store. The infected version of APKPure downloaded and installed various unwanted apps on the user’s device without their permission.
A similar story happened with FMWhatsApp, a popular WhatsApp mod that offered additional features and customization options. One of the versions of FMWhatsApp contained the Triada Trojan inside an advertisement SDK. Triada is infamous for being very difficult to remove from an infected device, and it tends to download a bunch of other malicious apps onto the victim’s device.
The future of mobile security: prevention and protection
As we have seen, Android malwares have become more sophisticated and diverse over time, exploiting new vulnerabilities and techniques to bypass security measures and reach users. Therefore, it is essential for users to be aware of the risks and take preventive actions to protect their devices and data.
Some of the best practices to avoid Android malwares are:
- Only download apps from trusted sources, such as Google Play or official websites.
- Check the permissions and reviews of the apps before installing them.
- Keep your device updated with the latest security patches and firmware.
- Use a reliable antivirus software that can detect and remove malicious apps.
- Avoid clicking on suspicious links or opening unknown attachments.
- Backup your data regularly and use encryption if possible.
Android malwares are not going away anytime soon, but by following these tips you can reduce your chances of becoming a victim. Stay safe and enjoy your Android device!
