Home / / Symantec discovers more Android app malware

Symantec discovers more Android app malware

Android Market Security Tool hosted in third party website contains malicious code

Symantec has discovered suspicious code within a fake version of the Android Market Security Tool on a third-party apps site.
Symantec has discovered suspicious code within a fake version of the Android Market Security Tool on a third-party apps site.

Symantec has discovered suspicious code within a repackaged version of the Android Market Security Tool.

The Tool was originally published by Google to combat the Android.Rootcager virus that was downloaded to users' phones via apps containing malware, hosted on the Android Marketplace.

Symantec found the version of the tool containing suspicious code on an unregulated third-party Chinese marketplace. 

The threat appeared to be capable of sending SMS messages if instructed to do so by a command and control server.

According to Symantec, the code used to write the threat was based in a project hosted on Google Code and licensed under Apache.

The Trojanised applications contain multiple bugs and are incapable of cleaning a system infected with Android.Rootcager. They also contain code to change an infected device's APN settings.

If this APN change code was called, the application's permissions would not allow the requested changes to take place.

An application willing to change the APN settings is required to hold the "android.permission.WRITE_APN_SETTING" permission.

Symantec's Security Response team found other pieces of code embedded within the apps that appeared to be dormant; the purpose of this appears to be to block incoming calls from specific phone numbers from the customer care department of a major telecoms operator in China.

The original Google tool did not require users to download it, but was pushed to phones to clear up the effects of downloaded malware.

To avoid becoming a victim of such Trojanized Android applications, Symantec recommends users do not use third-party apps sites and only use the Android Marketplace to download Android apps and adjust Android OS application settings to stop the installation of non-market apps.

Symantec also recommends that users check the app review comments to help determine if it is safe.

During the installation of Android apps, Symantec says users should always check the access permissions being requested for installation; if they seem excessive for what the application is designed to do, it would be wise to not install the application.

Users should also utilise a mobile security solution on devices to ensure any downloaded apps are not malicious.

Enterprises should also consider implementing a mobile management solution to ensure all devices that connect to their networks are policy compliant and free of malware.

The first malware discovered by Symantec was called Pjapps, which pretends to be a legitimate Android application - Steamy Window. The real app was compromised by hackers and released for download on third party app hosting sites.

Following Pjapps, attackers placed malware in apps on the Android Marketplace for the very first time. Usually apps with malware are found on third-party hosting sites. 

Malware authors are using legitimate apps and re-writing them to contain viruses, these apps show different publisher names and application names.

Symantec says that 50,000 to 200,000 downloads took place within the four-day time frame that the apps were made available.