As Android continues to increase its market share, so do attacks or malware targeted at Android users. Mobile malware is a broad term that refers to a piece of software that performs unintended actions and includes Trojans, spyware, adware, ransomware, and so on. According to Pulse Secure, 97 percent of mobile malware is focused at the Android operating system (http://www.scmagazineuk.com/updated-97-of-malicious-mobile-malware-targets-android/article/422783/). As per statistics released by G-DATA software, almost 4,900 new Android samples are being discovered every day. The following is a sample screenshot that shows the rise of Android malware over the past few years (referenced from https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q1_2015_US.pdf):
One of the primary reasons for this situation is that, unlike Apple's App Store, which is tightly controlled by the company, Google's Play Store is an open ecosystem without any detailed upfront security reviews. Malware developers can easily move their apps to Play Store and thereby distribute their apps. Google now has a malware detecting software named Google Bouncer, which will automatically scan an uploaded app for malware but attackers have figured out several ways to remain undetected. Moreover, Android officially allows loading apps downloaded over the Internet (side-loading) unlike iOS, which does not allow unsigned apps. For example, as shown in the following screenshot, when the Unknown sources option is selected on an Android device, it allows the user to install apps that are downloaded from any site over internet:
Sideloading option in Android
The third-party app stores that host Android apps are known to be the hub of malware. This prompted Google to roll out the Verify apps feature starting from Android 4.2, which scans apps locally on Android devices to look for malicious activities, such as SMS abuse. As shown in the following screenshot, the Verify apps feature may warn the user or in some cases may even block the installation. However, this is an opt-in service, so users can disable this feature if they choose to:
Verify apps feature in Android
Once malware gets into a device, it can perform dangerous actions, some of which are listed, as follows:
- Send and read your text messages
- Steal sensitive data, such as pictures, videos, credit card numbers, and so on
- Manipulate files or data present on the device
- Send SMS to a premium-rated number
- Infect your browser and steal any data typed into it
- Change device settings
- Wipe the entire data present on the device
- Lock the device until a ransom is paid
- Display advertisements continuously
Advanced malware is also capable of rooting the device and installing new apps. For example, the Android Mazar malware, discovered in Feb 2016, spreads via text messages and is capable of gaining administrator rights on phones, allowing it to wipe handsets, make calls, or read texts.
Note
A full list of Android malware families and their capabilities is available at http://forensics.spreitzenbarth.de/android-malware/ for reference.
An Android device can be infected with malware in several different ways. The following are some of the possible ways:
- Repackaging legitimate application: This is the most common method used by attackers. The attacker first downloads a legitimate application, disassembles it, then adds their malicious code, and reassembles the application. The new malicious application now functions exactly as the legitimate application does, but it also performs malicious activity in the background. These kind of applications are commonly found in the third-party Android app stores and are downloaded by several people.
- Exploiting Android vulnerabilities:In this scenario, an attacker exploits the bugs or the vulnerabilities that are discovered in the Android platform to install his malicious application or to perform any unwanted actions. For example, installer hijacking, identified in 2015, has been exploited by attackers to replace an Android application with malware during installation.
- Bluetooth and MMS propagation:Malware is also spread via Bluetooth and MMS. The victim receives the malware when the device is in discoverable mode, for example, when it can be seen by other Bluetooth-enabled devices. In the case of MMS, the malware is attached to the message just as computer viruses are send through e-mail attachments. However, in both these methods, the user has to agree at least once to run the file.
- App downloading malicious update:In this case, the app originally installed does not contain any malicious code but a function present within the code will download malicious commands at runtime. This can be done via a stealthy update or user update. For example, the Plankton malware uses stealthy updates that directly download a JAR file from a remote server and do not need any user permission. In the case of user updates, the user has to allow the app to download the new version of the app.
- Remote Install:The attacker may compromise the credentials of the user's account on the device and thereby remotely install apps on the device. This generally happens in targeted scenarios and is less frequent compared to the other two methods just described.
From a forensic perspective, it's important to identify the presence of any malware on the device prior to performing any analysis. This is because malware can alter the state of the device or contents on the device, thereby making the analysis or the results inconsistent. There are tools available in the market that can analyze the physical extraction to identify malware. For example, Cellebrite UFED Physical Analyzer has BitDefender's antimalware technology, which scans for malware. As shown in the following screenshot, once the physical image is loaded into the tool, the file can be scanned for malware.
Scanning for malware in UFED Physical Analyzer
Once the scan starts, the BitDefender software tries to unpack the .apk files and looks for infected or malicious files. Hence, the process is automatic, and the tool points to the malicious apps, as shown in the following screenshot:
Malware scanner results in UFED Physical Analyzer
The tool simply points out that something malicious is present on the device. The forensic investigator has to then manually confirm whether this is a valid issue by analyzing the respective application. This is where the reverse engineering skills that were discussed in the previous sections need to be leveraged. Once the application is reverse engineered and code is obtained, it is recommended that you take a look at the AndroidManifest.xml file to find out the app permissions. This will be helpful to understand where the app stores the data, what resources it is trying to access, and so on. For example, a Flashlight application does not need read/write access to your SD card data or to make a call.
Permissions in the AndroidManifest.xml file
It's also important to note that the tool may not identify a valid case if the details are obfuscated in the .apk file. Hence, as a forensic investigator it's important to develop the necessary skills to reverse engineer any suspicious apps and analyze the code to identify malicious behavior. In some investigations, the nature of the malware that is present on the device may also result in arriving at certain crucial conclusions, which may affect the outcome of a case. For example, consider an internal investigation in a corporation that involves sending abusive messages to other employees. Identifying malware on this device that sends.