Thursday, July 19, 2012

What the Android.Dropdialer Trojan Taught Us: Check Permissions & Install Process

If we learned anything from the malicious apps that were most recently pulled from Google Play, it’s that we should not only pay close attention an app’s permissions, but the installation process as well.

Last week, Symantec researchers discovered two malicious apps in the Google Play store titled “Super Mario Bros” and “GTA 3 Moscow City.” Both apps managed to remain available for over two weeks and were downloaded 50,000 – 100,000 times.

But how did this malware, which Symantec identified as Android.Dropdialer, slip past Google’s app-scanning Bouncer?

Instead of pushing one payload that contains all of the malicious code, the author of the apps broke the payload into separate modules that could be delivered independently. This allowed the Trojan apps to get the OK during the QA screening process since the offending piece of the app hadn’t been downloaded just yet.

How it Works

When users downloaded the Android.Dropdilaler Trojan app, they would view and accept an initial set of app permissions that seem safe, and the app would download and be installed. That’s when the real fun began.

Android Dropdialer Installation Process

After being successfully installed, an additional package named ‘Activator.apk’ would be downloaded from Dropbox.

The user would be prompted again to accept the permissions of the new app, one of which is to use services that cost you money. That’s no real surprise since the entire attack revolves around sending SMS messages to a premium-rate number.

Once the SMS message has been fired off, the Trojan will prompt the user to uninstall the secondary SMS-sending payload in an attempt to hide its true intentions.

So, the next time you download an app, make sure you keep an eye out for any suspicious permissions or screens that may attempt to trick you into downloading additional files.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment