Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Android Security & Ransomware

Ransomware
param
December 6, 2017 / Param Singh

Ten years ago this month, Google announced its release of Android, which has since transformed the smartphone-market landscape. Today, Android is powering more than two billion devices (including phones, tablets, televisions, etc.) and it has just started to pick up speed in the enterprise world.

With hardware advancements, devices such as smartphones and tablets are rapidly replacing other gadgets we use both at home and in the workplace. Some estimate these numbers will grow to more than six billion smartphones by 2020. By replacing personal computers, many of these devices are used for everything ranging from web browsing, paying bills, online banking, digital wallets, and storing personal information to being used as point-of-sale payments. Therefore, securing these devices should be a top priority in both enterprise and home environments.

Many enterprises are struggling between BYOD (bring your own device) adoption and developing security strategies for smartphones and tablets. Since most strategies from a typical enterprise security procedure list (such as installing security patches, running latest OS, application whitelisting, etc.) apply to mobile, creating a separate mobile security strategy is not advised.

Instead, smart-device security policies should be crafted to match the overarching security strategy. That being said, BYOD is a double-edged sword. On one hand, it provides flexibility to your employees and on the other, not having ownership on the device makes its management tough.

Android (In)Security

Android phones make up more than 85% of the smartphone market, making it the most prominent – and thus highly targeted – smartphone platform. The fundamentals of cyber-crime economics that favored PC malware in the desktop and server world also hold true for smartphones. Cybercriminals tend to go after the most prevalent platform, trying to infect as many victims as possible. This increases their probability to steal more money through their criminal campaigns.

Platform Fragmentation

Apart from market prevalence, another aspect of the Android marketplace that has benefitted attackers is its fragmented adoption of software updates. Even a year after its release, only 17% of Android devices run Nougat 7.0 and only 3% are running Nougat 7.1, which was its incremental update. On the other hand, Apple iOS 11 reached 52% of Apple’s smartphones in less than two months. Recent research on Android fragmentation issues stated that more than 1 billion Android devices have not been updated for two years now, and probably never will.

Figure 1: Comparison of Android 17% (in an year) vs. Apple 52% (in two months) platform update adoption

This fragmentation and lag in adoption of the newer Android upgrade is one of the major reasons behind its perceived insecurity. Google has worked very hard in past years to bring improvements to its Google Play store, with application sandboxing, user permissions, device encryption, vulnerability disclosure programs, etc., but unless it tackles this fragmentation issue, there will always be malware families targeting Android users using smartphones that are not fully updated.

By not having full control over hardware, any update in the Android platform could potentially impact many manufacturers, OEMs, carriers and users across the globe. This diversity of hardware and manufacturers is the reason why Android is running on two billion systems, but this also increases the complexity of coordinating efforts to reduce fragmentation by updating and patching. Most threats to the Android platform could easily be eliminated if users simply upgrade their smartphones to the latest version.

Open-Source Platform

While not true, many smartphone users believe Android is more vulnerable simply because it is open-sourced. They feel that making any software open-source allows malicious hackers to see how an application works more easily. However, open-source also makes it easier for everyone else who is interested to look through code, add enhancements, and report security vulnerabilities.

Another benefit of open-source software is the quick speed at which patches or fixes to high-severity bugs are added. In contrast, commercial vendors have longer update cycles due to resource availability, project priorities, and strict release cycles.

A skilled, malicious hacker will find bugs in an application regardless of whether he or she has access to code or not, but having a closed-source application will definitely deter hobbyists and volunteers from collaboration and fixing bugs. The rapid development and improvement of Android is somewhat fueled by its being an open-source platform.

Google Play Security

Google provides a centralized market, “Google Play” for mobile applications. However, Android users can also install apps from third-party markets such as Amazon. While most of these markets are reputable and safe, there are also underground app marketplaces, which provide popular commercial/paid apps for free. These markets are popular in the low-price, low-budget markets in developing countries, where Android is most popular.

In the past, malicious hackers have decompiled popular apps, added their malicious code, repackaged the app, and hosted in popular underground marketplaces, which give away these commercial apps for free.

For example, earlier this year, criminals used this tactic to craft a fake copy of King of Glory, a popular Chinese game and modified it to spread ransomware that mimicked WannaCry. As per Wikipedia, King of Glory has more than 200 million monthly players, which makes putting out repackaged, fake applications a great avenue for criminals to lure victims, and is a serious security problem.

Security-aware Android users stay away from third-party stores and tend to install applications only via Google Play. However, there have been reports of many malicious apps where criminals were able to bypass Google vetting processes and infect end users. Such incidents create doubt in the mind of Android users, who want to trust and use Google Play. A recent example of this was the BankBot trojan that bypassed Google vetting process three times, and even got the Google Play Protect verified application badge.

Another example of this is the recent discovery of fake version of WhatsApp by Redditors that fooled more than a million users into downloading it. In this case, the fake application was just the original application but with advertisements that made money for the malicious uploader.

Figure 2: Fake WhatsApp on Google Play Store with 1 million downloads

Android Malware and Ransomware

With the increasing usage of smartphone, tablets and other BYOD devices by businesses, these devices will become target of cybercriminals sooner than later. Long-time successful tactics and toolsets, such as “malware generators” criminals have used to create malware variants with minimal coding experience that previously targeted desktop environments. These generators require users to simply specify a ransom note and an application icon, and it produces an APK file that cybercriminals can distribute using various techniques, such as Double-Locker that posed as Adobe Flash Player via a compromised website.

A common technique seen in these generators is “code obfuscation,” which is similar to what web exploit-kit developers have used for many years to bypass detection of malicious javascripts. Cyber criminals are now using this technique to obscure the code, such as encoded parameters in APK files bypassing security-screening processes that rely on automated code-level reviews.

Earlier, most fake applications are typically involved in sending premium-rate SMS and stealing financial credentials. However, as those attacks become tougher, and crypto-currency, such as Bitcoin, gains popularity; we believe ransom-based attacks such as screen-lock and file-encryption will gain popularity going forward.

We are already seeing an uptick in Android Ransomware kits in underground markets, selling for a much higher price. In our research, we discovered that the median price of ransomware targeting Windows OS is $10, whereas Android-capable ransomware has a median range of $200.

Figure 3: Android Locker Ransomware being sold in dark-web for a premium price

While the number of Windows ransomware kits on the dark web overshadow any other platform, we are noticing premium kits targeting Android and believe these attacks will come to smartphones, tablets and other Android devices very soon.

For a successful campaign, such as the fake WhatsApp application that was on Google Play and downloaded by more than a million users, the return on investment can be enormous.

Recommendations

While there are numerous flaws in the Android ecosystem, it has come a long way in the last 10 years following its initial release. In a recent event where security researchers competed to find and exploit vulnerabilities, there was no vulnerability reported for Google’s Pixel 2 phone, compared to Apple iOS 11, which was hacked both on November 1 and November 2. With control over its hardware, one of the important security features of Pixel phones is the immediate access to latest Android OTA (over-the-air) updates.

This, hopefully, will solve the platform fragmentation issue discussed earlier, and the slow adoption rate of Android upgrades when compared to Apple. By frequently updating the OS and applications with the latest revisions and patches, users will be much safer.

It’s also important to only use Google Play or Trustworthy sources (e.g. Amazon). Though in the past some malicious applications have made their way into Google Play, it is still the most trusted and safe way of installing applications. Google has continuously improved their screening process and is very prompt in removing malicious applications upon disclosure or detection. Users should also not get lured into installing applications from dubious third-party sources that give away paid apps for free.

To determine if an application is legitimate or not, users should always review an application’s reputation, user feedback, app verification, and prevalence data to make an educated decision before downloading and installing.

Special attention should be paid to the permissions requested by mobile apps, which may indicate malicious behavior. Proactive users should also enable Google Play Protect’s “scan device for security threats” feature to detect harmful applications when downloaded and on a routine basis.

Figure 4: Android Play Protect feature to scan installed applications

Last but not the least, ransomware threats have highlighted the value of having safe, secure, and updated backups for critical systems. Smartphones and tablets should also be part of this policy.

Android is making great leaps in providing enterprise-level support and security to build a connected workforce, with a comprehensive suite of tools that can manage both corporate owned and personal BYOD devices, and a wide range of devices based on usability and budget.

TAGS: Android / Carbon Black Threat Research / ransomware

Related Posts