Symantec discovered a malware disguised as “Google Service” app
“A spyware posing as a “Google Service” app was discovered by researchers at Symantec, highlighting the double-edged nature of legitimate security tools used for malicious purposes
Ron Cohen Chen | 25/08/2016
With our constant internet usage and a plethora of devices, there is more information being generated and shared online than ever before. As a result, the focus of cybercriminals has shifted to more sophisticated attacks. Symantec led the first era of security with antivirus, but the internet security landscape has changed a lot since then, and you must implement other prevention and detection capabilities alongside AV to meet the challenges of today’s threats.
Recently, our researchers have found an interesting new threat that that was detected by our Mobile Insight technology that highlights the double-edged nature of some security software capabilities found in legitimate products.
The spyware we discovered poses as a “Google Service” app and uses an embedded copy of a legitimate security tool to compromise other security protection tools that could be used to defend against it. Symantec detects this threat as Android.Spywaller.
The malware’s initial behavior is similar to many mobile threats. When launched, the app exits the user interface (UI) and hides its icon in an attempt to cover its tracks. It then releases an encrypted payload containing the malware service logic and loads it into memory. Once installed, the threat displays a “Google Service” icon on the device; however, there is no actual offering from Google with this name.
The malware then tries to root the device and sits in the background collecting sensitive information. The collected information is sent to the malware’s backend server.
Things Get Interesting
After examining the reversed payload, a clue emerged in the form of a method named disable360Network(). A closer look at this method revealed some interesting behavior: the malware checks to see if the Qihoo 360 mobile security app, which is popular in China, is installed on the compromised device. If the security app is installed, the malware will acquire the app’s unique identifier (UID).
The malware then drops and runs a firewall binary called DroidWall (a customized version of iptables for Android), and creates firewall rules that will block the targeted security application (in this case Qihoo 360) by referencing its UID. These days, many security scanners rely on the cloud to deliver protection, so blocking their communication would significantly compromise that ability.
DroidWall was first developed by Rodrigo Rosauro as an open source app aiming to help users protect their devices. The app was sold to AVAST in 2011 and its source code can still be easily obtained from Google Code and Github. In cyber-security, the boundary between defense and offense can sometimes become very thin. An internet search for DroidWall will return many posts like this one discussing how DroidWall is able to help protect devices. However, this malware example reveals the other side of the story: in the wrong hands, some security tools can be used to actually compromise user security.
Targeting Chinese Users
The deception and detection-prevention used by this malware targets a distinctly Chinese usage pattern. By posing as Google services, the malware entices users in China (where the official Google services, such as Google Play are not available) to download the malware. The Chinese market is also known to have a higher proportion of rooted devices which puts them at a higher risk of malware infection in general.
The spyware attempts to exfiltrate a wide array of sensitive data. In addition to system-based personally identifying information (PII) such as call logs, SMS messages, GPS readings, system browser data, emails, radio, images and contacts, it also collects data belonging to specific third-party communication apps like BlackBerry Messenger, Oovoo, Coco, QQ, SinaWeibo, Skype, Talkbox, TencentWeibo, Voxer, Wechat, WhatsApp and Zello. The extensive list of data gathered by this malware ranks it among the most comprehensive spyware we’ve come across.
While the infection numbers are relatively low, this threat is still noteworthy as it illustrates another instance of malware authors using legitimate tools for malicious purposes.
Symantec ATP is leveraging existing Symantec security control points such as Symantec Endpoint Protection and Symantec email.cloud accompanied with ATP:Network to discover unknown threats across the organization. By leveraging our unique Cloud Sandbox which uses Intelligence sources such as “Mobile Insight”, the solution can detect such malicious activities as the ones used by Android.Spywaller. By leveraging Dynamic Analysis, Static Analysis, Virtual and Physical Execution techniques, this kind of malware activity will be mitigated. Once the malicious activity has been discovered, automatic response and remediation can be used across all security controls to prevent the spread and ongoing activity of the thread.
To summarize, today’s security landscape requires a change in mindset and protection approach. Protecting one control point with best of breed technology is not enough. The future of advanced threat protection which allows a single point of threats management is made out of these four elements: Automatically collecting and analyzing information across control points; utilizing richer global intelligence with machine learning technologies; correlate and convict most evasive unknown threats across control points; and automatically prioritizing high-risk incidents and provide one click remediation across control points.
Ron Cohen Chen is the technology manager RIC & SA at Symantec.