#page

android



Known Android MALWARE VARIANTS

The below list is not exhaustive and is meant to provide an overview of the most prevalent Android malware impacting US victims. This page is updated regularly with new information.


What is ANDROID?

Android is a Linux-based open-source mobile operating system developed by Google. It was introduced to the market in late 2008 when the T-Mobile G1 was launched in the United States; it was launched globally under “HTC Dream.” In April 2009, the first major update, “Cupcake,” was released for the T-Mobile G1, and thus began the tradition of naming Android updates after delectable treats. With this update came features that we recognize in modern Android devices today, such as an on-screen keyboard and home screen widgets. The Android platform gained prominence in 2010 with Google’s Nexus product line, which included Android phones offered by Motorola, HTC, and Samsung, and the first Android-powered tablet. On March 6, 2012, the Google Play store was launched—consolidating the Android Market, Google Music, and the Google eBookstore—to become a centralized digital distribution service and serve as the official app store for Android. During the summer of the same year, one of the most popular Android versions, Jelly Bean, was released. In 2014, Android expanded to TVs, wearables, and Chromebooks. Android Lollipop was released that October, equipped with a new design and features that were more user-friendly and intuitive. Since then, Android-powered devices have increased market share with the release of the LG line of “G” smartphones and Samsung’s line of “S” and “Note” devices.

According to tracking figures, only 0.9% of Android users were using the latest version, 7.1, as of July 6, 2017. Nearly one-third of users are still running version 6.0, Marshmallow.

Current Android versions in use:


what is android malware?

Android malware is malicious software designed to exploit the Android operating systems (OS) running on smartphones, tablets, and other devices. Some variants of Android malware have the capability of disabling the device, allowing a malicious actor to remotely control the device, track the user's activity, lock the device, or encrypt or steal personal information transmitted from or stored on the device. As users are increasingly turning to mobile devices for both business and personal use, cyber threat actors are devoting their efforts to developing malware designed to compromise the device software, including operating systems, like Android, and applications, like those available in the Google Play store and third-party app stores.


what types of malware impact android devices?

  • Ransomware – a type of malware that encrypts or steals sensitive data and demands a payment to either decrypt or return it. Mobile ransomware began with a “lock screen,” often accusing the victim of viewing unlawful content, demanding money for the device to be unlocked. It evolved into malware that encrypts all files on the mobile device and demands payment to provide the decryption key for access to the files. In the first quarter of 2017, mobile ransomware infections spiked 253 percent over that of the same time frame in 2016.
  • Adware – the most common app-based mobile threat, adware is malware that automatically delivers advertisements to the infected device to generate revenue for the threat actor, changes browser settings, collects personal information such as the victim’s phone number and email, and modifies desktop icons and settings. Some adware has evolved to be able to break and root infected devices.
  • Trojan – a type of malware disguised as a non-malicious file or application; the user unintentionally installs the malware onto their device. Trojans can provide threat actors with unauthorized access to the victims’ device and allow them to download additional malware onto the device. This type of malware can have a severe impact. There are many types of trojans, named for their function, including: banking trojans, trojan downloaders, and spyware.
  • Rootkit – a type of malware that allows threat actors to gain full administrative privileges to the targeted device. Users are typically infected via malicious apps disguised as legitimate applications or via trojans previously installed on the device. Rootkits provide threat actors with full control over the device and are also likely able to download additional malware and applications, spy on the user’s browsing habits and emails, steal credentials, listen to conversations, take photos, locate the phone via GPS, and use the device for click-fraud.


how are android devices infected?

Android malware can infect a user's mobile devices through several means, including clicking malicious links in emails or SMS texts, visiting a compromised website, downloading an infected application from the Google Play store or third-party app store, connecting to an unsecured or malicious WiFi network, or downloading a malicious file, like a torrent. Once a device is infected, the threat actor can conduct nefarious activity and load additional malware onto the device.


REPORTING


REcommendations

  • Immediately apply operating system and application patches and updates.
  • Avoid downloading applications from third-party app stores.
  • Avoid “rooting” or “jailbreaking” devices, as this can weaken or disable security settings, making the devices more susceptible to malware infections.  
  • Bluetooth should be disabled when it is not required or in use.  
  • Consider downloading or purchasing a reputable anti-malware application that scans apps when downloaded and when they are being updated.
  • Avoid responding to, or clicking links within, unsolicited text messages. Never trust text messages sent from an unknown user.
  • Have your device set to automatically lock the screen when not in use and require a passcode or biometric authentication to unlock it.
  • Never input sensitive personal or financial information onto forms on an unencrypted, unsecure webpage. Only use secure sites that display HTTPS in the URL.
  • Avoid accessing any public, unsecure WiFi network. If you must use an unsecure WiFi connection, use it in conjunction with a VPN and avoid logging into personal or financial accounts.
  • Scrutinize the permissions requested by applications. Avoid granting applications permissions above what should be necessary to fulfill their function. For example, a fitness app would likely not require, and therefore should not be requesting, SMS read/write access to your mobile device.
  • Organizations operating with BYOD policies are urged to educate employees on mobile threats and vulnerabilities, implement monitoring and endpoint protection on all mobile devices, establish the capability to remotely wipe lost or compromised devices, and ensure programs and users have the lowest level of privileges necessary to complete tasks.  


Resources

Android’s developers provide a list of Best Practices for Security and Privacy here.

Google released Google Play Protect to help mitigate malware infected applications in the Google Play Store.


incident reporting

If you or your organization is the victim of an Android malware infection, please report it to the NJCCIC using the Cyber Incident Reporting form on our website. Victims can also report incidents via email at NJCCIC@cyber.nj.gov or phone at 609.963-6900 extension 7865.