Cybercriminals have been practically relentless in their attacks against the Android OS, and McAfee’s own Mobile Research team has discovered yet another attempt at infecting Android devices. Named Grabos, the malware was first discovered by the team in the Android application “Aristotle Music audio player 2017,” which claimed to be a free audio player on Google Play. However, we’ve since found the threat present in 144 trojanized applications on Google Play.
What is it and how does it work?
Let’s start with Aristotle. The music app puts on a good face – it has a good rating on Google Play, and has even been installed between one and five million times. However, one user comment mentioned that the application was indeed detected as malware. Once our Mobile Research team identified Grabos on the application, they flagged it to Google, who removed it from Google Play.
But then the team discovered a lot more Grabos on Google Play. In fact, they found another 143 applications that were infected with the Android malware. Out of these 143 applications, they were able to examine 34 and found that they had an average rating of 4.4, and between 4.2 million and 17.4 million users had downloaded these apps. Only 6 have been removed entirely since being flagged to Google.
So, how exactly was Grabos able to maneuver its way onto so many applications? The malware was likely able to move past Google Play security measures because its code is protected with a commercial obfuscator, which essentially makes it difficult to analyze the app without launching it first.
Grabos has also developed a few unique capabilities, one being the ability to distinguish and inject code accordingly into “fake” vs “real” apps, which our other blog outlines. Additionally, it can communicate with a command and control server about the devices it infects with these trojanized apps. This device information includes: Android version, build model, device location, device configuration, specific apps installed, the list goes on.
Mind you, after collecting information on already installed apps, the C&C server creates fake custom notifications to trick users into installing additional applications. This may in fact reveal the malware’s true intentions — to make money by promoting the installation of apps.
How do I protect myself?
Now, the next step is to start thinking about protection. To ensure you keep your Android devices secure, be sure to follow these tips:
- Do your homework. Before you download an app, make sure you head to the reviews section of an app store first. Grabos could’ve been avoided if a user read one of the comments, so be sure to thoroughly sift through the reviews, and read through the comments section. It helps to research the developer too. When in doubt, don’t download any app that is remotely questionable.
- Limit the amount of apps. Only install apps you think you need and will use regularly. If you still a promotion for an app you did not seek out, avoid clicking on it entirely. And if you no longer use an app, uninstall it to keep it from accessing your information unnecessarily. This will help you save memory, and reduce your exposure to threats such as Grabos.
- Use a mobile security solution. As malware campaigns continue to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security.