Google Code Projects Host Android Malware

By on

[March 1: See update at end]

Google Code is a well-known platform that provides a collaborative environment for developers working on open source projects. It’s also a target for malware developers. Contrary to what you may think, this is not the first time that Google Code has been used to spread or store malware. (You can find examples in the discovery of uploaded images that led to fake codecs in 2009 and in Windows Trojans/backdoors/password-stealing keyloggers found in 2010.) Further, we have recently found an Android malware that uses Google Code as a distribution platform for both potentially unwanted programs (pay-per-install campaigns or adware) and malicious applications (downloaders).

The first variant of the current malware in Google Code was found in a third-party Android market repacked in a Chinese version of a legitimate memory-optimization application. Every time the application executes or the boot process finishes (device rebooted or turned on), the payload starts as a service running in the background. The service checks a remote server (with the URL encoded in a file inside the “assets” folder) for applications to download that store information in a database created inside the device. (Click the image to enlarge it.)

The data obtained from the web server includes the name of the package, the name of the apk file, and the path used to download the application–which points to a Google Code project:

The database records whether a specific application was downloaded, installed, or opened. Once the data is stored, an execution thread downloads, without user’s consent, the first application in the database. This app is stored under the folder download in the SD card:

As soon as the download finishes, the malicious application tries to install the application by displaying a notification that tricks the user into believing it is a system update. (Translation from Chinese: 系统更新 = “System update” and 您好, 已经获取… = “Hello, the latest patch has been downloaded, please click here to install”):

When the user taps that notification, the downloaded application starts to install using the normal Android procedure. Suspicious applications stored in several Google Code projects have been analyzed; some of them have been classified as PUPs because they have unwanted behavior such as sending private data (IMEI, phone number) to remote servers. Researchers have found a new variant of the malware that, instead of being packed in a legitimate application, is pure malicious code which does not show any icon in the main menu. However, it can be seen installed in the Downloaded section of Manage Applications using a deceptive honeycomb icon and the title Android 3.0 Patch:

Although none of the analyzed samples contains root exploits, this variant has code to check if the device is already rooted. If so, it will proceed with a silent install of the downloaded application with the command “pm install –r.” Another difference with the variant in the Google Code project is that the malicious behavior starts only if the screen of the device is turned off, probably to make the system update appear normal.

Despite the fact that most of the applications available in Google Code projects are neither malicious nor PUPs, the links stored in the remote server, along with the text of the notification, can change at any time. Thus virtually any application can be installed on the device without the user’s consent. McAfee Mobile Security detects all these variants as Android/FakeUpdates.

Update: The affected projects have been removed by Google.

Categories: McAfee Labs
Tags: ,

Leave a Comment

Similar articles

Analytics 101

By on
From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions. Distinguishing ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions ...
Read Blog