Android Malware Compromising Modern Devices

Android Marshmallow

Google is shrinking the oceans of attack vectors once available to bad guys with every Android update but treacherous rivers remain for Android malware.

Chief among those vectors are screen overlay techniques, which are some of the most capable features modern malware authors are abusing to compromise new and updated Android phones.

Compromising modern Android operating systems is more difficult than hacking much-used older platform versions, but it is well worth the effort; the new platforms typically run only on expensive modern phones, which offer criminals more processing power to run malware and access to bank accounts of on average more wealthy individuals.

Human factor

Modern Android malware increasingly relies on conning users into doing their bidding to subvert the tougher security controls, and screen overlays offer some of the best illustrations of this working on Marshmallow and Lollipop.

It is perhaps best explained through a hypothetical attack on Marshmallow: A malware writer steals and modifies code for an enticing game, and successfully passes Google Bouncer security checks to have it published on the Google Play store.

Users download, play, and rate the app. The attacker pushes an update that adds malicious code to the app, throwing additional permission checks. Users already trust the application so they approve the requests, granting it the ability to send SMS, place calls, and access storage.

The user opens the app and a friendly screen of text written by the attacker appears asking for the player to tap a button that will launch Android’s accessibility, administrator, and write-over-apps functions. The message saying that the approvals are necessary for some new functions in the game are repeated under the activation buttons in the accessibility and draw-over-apps screens.

With those functions clicked the player can once again enjoy their game, while the malware writer has the ability to silently view and steal usernames and passwords for all but the tiny handful of apps that prevent draw-over-app functions.

This feat is not difficult, and is actively occurring with malicious applications, some which infect tens of thousands of users, being regularly pulled down from the Google Play store.

It was recently demonstrated in May by Skycure security researcher Yair Amit who found a combination of attacks that worked against 95 percent of all Android devices, amounting to some 1.34 billion handsets.

Amit found a clever way for malware writers to abuse draw-over-apps screen overlays.

He demonstrates in a video how a simple game could prompt users to click on various areas of their phones which would behind-the-scenes cause the user to inadvertently open and approve administrator and accessibility permissions.

From there the Android malware would have full rights to compromise user data.

Other more complex yet highly effective techniques have recently surfaced.

Mobile malware writers are making millions of dollars compromising handsets through tricks much simpler than these, yet functions like screen-overlays and accessibility functions ensure revenue streams remain open on the most modern Android platforms.

Sweetening security

Traditional malware tricks are much harder to pull off against Android Lollipop (version five), and even more so with Marshmallow than older platforms like KitKat (version 4.4). The old tricks may be dead and buried in the wake of the upcoming Android Nougat (version 7).

Marshmallow was a security breakaway from the anarchy of its predecessors. It the defence of malware granular permissions was one of the most prominent security features because it forces users to individually approve or deny application’s requests for access to functions like phone calls and messaging.

For its part Lollipop introduced mandatory SELinux Enforcing Mode, anti-theft functions including smart locks, and factory reset protection, and privacy tools including encryption.

Android version distribution, June 2016. Graph credit: Erikrespo
Android version distribution, June 2016. Graph credit: Erikrespo

At the time of writing about 35.4 percent of users operate Android Lollipop, outpacing by a whisker those running the terribly insecure KitKat (version 4.4) platform last updated in 2013.

This is good news for lazy Android malware writers who will enjoy easy picking of vulnerable devices until KitKat devices disappear and the barely-used Marshmallow gains dominance.

Security sorties

Google and Apple fight hard to increase the security standards of their operating systems. The former has come far to bridge the gap between the traditionally more vulnerable Android platform and Apple’s hardened iOS since Google’s operating system first hit the mobile market in 2008.

Android has achieved this while still being a highly modifiable platform, the implications of which mean it is more open to attack than is iOS which largely prevents users from installing applications outside of the App Store, and from customising the look and feel of the operating system.

Yet it is this functionality such as draw-over-apps that permits abuse.

Still, Google’s sixth and latest Android version named Marshmallow is now sufficiently hardened that many in the hacking community regard it as a challenger to iOS, despite that it allows users to flick switches that will allow applications to be installed from any source and to grant deep permissions to apps.

Apple by contrast spends considerable money preventing those functions and closing any jailbreaks which emerge. It’s grip is so tight that vulnerability firm Zerodium paid US$1 million for a new iOS jailbreak.


Author: Mitchell Cameron

Mitchell Cameron is a freelance security writer who covers information security research, exploits, and vulnerabilities for various publications.

Leave a Reply

Your email address will not be published. Required fields are marked *