Experts at Kaspersky Lab have found an interesting loophole allowing virus makers to manage their malware with ease. The company’s press service told The Day that the attackers use the Google Cloud Messaging (GCM) service (designed to allow application developers to send messages to their users) to send commands to Trojans that have infected Android-powered phones. Meanwhile, these malicious programs send SMSes to premium-rate numbers, steal messages and contacts and show ads promoting other malware.
Functionally, this malware is quite diverse, as it, not being content with sending premium-rated SMSes, can also steal messages and contacts, delete SMSes, send links to itself or other malware, stop and restart its activities without external input, and update itself.
All malware is distributed by stealth, disguised as useful applications and games. This case, though, is a new development showing unusual originality on the part of the virus makers as they use the GCM service itself as a command and control center, registering all Trojans and backdoors once installed on a smartphone and sending them commands, the experts report. They warn this approach makes it impossible to block access to the command server directly from the infected phone.
In this case, the only way to block command messages is through blocking developers’ accounts used by malware during registration.
The most popular function of mobile phone-based Trojans that use the GCM is sending premium-rated SMSes to so-called premiumnumbers. A classic example is TROJAN-SMS.AndroidOS.OpFake.a, identified by Kaspersky Lab and hitting mostly Russia and some other CIS countries.
Experts at Kaspersky Lab have found over 1,000,000 individual installation packages of the Trojan.
“We find up to 12,000 new malicious programs every month that harm mobile platforms, and Android platform is among most vulnerable ones, suffering 97 percent of all vulnerabilities. The GCM’s use by criminals is one of them. There are just a few mobile malware products, but some of them are very popular. Necessary countermeasures include cooperation with the GCM’s developers and timely blocks on communication channels linking the virus makers with their malware. We have informed Google on GCM-IDs used by mobile malware we have found,” Kaspersky Lab’s leading anti-virus expert Roman Unuchek sums up.
Google’s Ukrainian office told The Day it was not ready to comment on the information because, firstly, the local office had not received this message from Kaspersky Lab, and secondly, there had been no word from Google’s headquarters just yet. Most likely, there will be no reaction before August 16 at the earliest.
“We informed Google on GCM-IDs used by mobile malware we have found three times, on July 10 and 17 and August 7,” the company reiterated.