Android Malware - Our Test

Android is a widely used mobile operating system.  It is awesome, open, and therefore vulnerable.  Several apps in the Google Play store have been found to contain malware.  Additionally, there are many websites where users can download apps for free.  Some websites even allow users to share paid apps with other users for free, generally including malware at no extra charge.  So, we decided to go ahead and run some tests to see what happens when we run an infected Android app.  We were mostly interested in seeing some of the traffic generated so that we could see the risk.

We started by downloadind infected versions of Cut the Rope and a tool for removing the justifiedly maligned CarrierIQ.  We researched and found some infected versions of various interesting apps.  Some of them were these:

fake apps


Then, we say SpamSoldier and definitely had to have it!  As background, SpamSoldier spreads through SMS messages that advertise free versions of popular paid games.  When the user clicks on a link from one of these SMS messages, the phone downloads an application to install the game and the SpamSoldier trojan.  The app connects to a remote Command & Control (C&C) server to receive the SMS spam message and a list of 100 US phone numbers to spam.  The process repeats itself.  SpamSoldier’s texts include messages telling consumers they’ve won a $1000 Target gift card or provide an opportunity to download free games.

For our test, we used an Android Virtual Machine.  There was no need to infect an actual phone or tablet this time, although for more advanced testing, it may be necessary.  This is what our VM looked like:

Android VM

So, after tinkering with apktool, WireShark, Android permissions, and looking at the code... We saw some packets from some infected apps that were making their way to Germany.  Other infected apps, to China.  Our test was limited and we plan to do a more intense test with decryption of the malware packets, an actual device, the works.  But for now, some details of our limited Android vulnerability test can be found at this link.