New Malware Bypasses Android Market, Downloads Directly to Mobile Phones

The latest Android malware is downloaded directly from a Web site that looks like the Android Market and signs users up to multiple prime-rate SMS services without their knowledge.

Lookout Mobile Security is warning of a new kind of Android malware that bypasses Google's protections and targets the user's phone directly.

Dubbed GGTracker by Lookout Mobile Security researchers, the latest Android malware is spread through in-app advertisements, Tim Wyatt, a software engineer at Lookout Mobile Security, wrote on the company blog June 20. When a user clicks on various ads, such as for adult content or mundane battery saving tools, the user is directed to a Web site designed to look like the Android Market.

It appears that malware developers made this move because Google is getting more vigilant about keeping malware-tainted apps off the official Android Market. Google removed more than 25 applications from the Android Market after it discovered they were actually legitimate apps that had been repackaged with DroidDream Light, a variation of an earlier data-stealing Trojan. Google had removed over 50 apps infected with DroidDream from the Market in March.

"We believe Android users are shown an advertisement that directs them to a malicious Web site that resembles the Android Market installation screen," Wyatt wrote.

Lookout did not have an estimate for how many users may be infected, but said it targets users in the United States. It was also unclear which smartphone apps had the ads that were helping to spread the malware.

Normally, malware is hidden inside an application that is downloaded from an app market, whether it is from the official Android Market or any of the several third-party app stores that exist. The latest Android threat is packaged in such a way that it can be downloaded directly from the Web. The APK, or Android application package file that contains the compiled code and related files necessary for installation, is available directly from this site and saved on the device's downloads folder.

In the case of GGTracker, when the user decides to get an app, the site directs the user to an installation page that looks and behaves just like the Android market. Users might be tricked into thinking the site is a Google-created site because it looks like the official Market, Wyatt said.

"To our knowledge, this malicious application is not found in the Android Market," Wyatt said.

The fake installation page prompts the user to start the Android downloader to install the APK file from the downloads folder. Once installed, the malicious app pings multiple servers that subscribe the user's phone number to different premium SMS subscription services.

Most services require some user interaction, such as answering questions or creating a PIN, before allowing the number to be registered. The back-end server for GGTracker communicates directly with the SMS services and intercepts the messages sent to the mobile device in order to complete the registration process without the user even knowing about it, Wyatt said.

The services can have charges of up to $9.99, according to Wyatt.

While SMS subscription attacks are most common in countries like Russia and Ukraine, where cyber-criminals can easily rent prime-rate SMS subscription numbers, "we are going to see bigger SMS attacks elsewhere," Denis Maslennikov, a senior malware analyst at Kaspersky Lab, told eWEEK. Mobile malware taking advantage of advertisements within other apps is quite common in the United States, Maslennikov said.

A tech-aware user would be able to tell something is wrong when encountering GGTracker, since most legitimate Android Market apps won't require the user to go into downloads to install the apps, and because the Android operating system will still force the app will to ask the user for permission to access the text messaging capabilities before it can get installed.

Wyatt recommended users enable Safe Browsing on their Lookout security software so that they would be prompted when navigating to the fraudulent page. Other vendors have mobile security software that would detect the malicious software, such as Kaspersky and Webroot.