How Mobile Malware Gets Delivered and Installed

By: Donovan Tan, Cybersecurity Researcher

As connectivity brings more convenience to all of us, we observe an increasing reliance, value, and adoption that makes our mobile devices an attractive target for cybercriminals. In this four-part series, we will explore the various types of mobile malware (Part 1), their lifecycle (delivery, installation (Part 2) and exploitation (Part 3)), and how to protect yourself against them (Part 4).

Part 2: How Mobile Malware Gets Delivered and Installed

With a greater amount of activities being carried out on mobile devices, malicious actors find themselves with broader and numerous attack opportunities. This makes it possible for mobile malware to be delivered through various channels. Despite this, bad actors still face two challenges hampering the successful delivery of their malware.

The first would be to bypass the anti-malware detection systems within mobile OSes and official app stores put in place by mobile OS developers. Google Play, the official app store for the most used mobile OS, Android, has machine learning malware detection systems and a team to review apps before and after they are published on the store[1] [2].

The second challenge faced would be to convince users to download the malicious application. Be it through official or unofficial app stores, or direct download links for installer files, malicious actors would need to employ methods to compel users to download the malware.

A popular method to overcome these challenges during delivery would be the use of trojan droppers, while a popular channel would be social media and messaging apps. For clarity’s sake, delivery channels refer to mediums used to spread malware (e.g. app stores, emails, messaging apps, etc.), while methods refer to any tactic employed by bad actors in relation to malware delivery. These tactics could involve preparation (e.g. hiding of malware in apps that appear legitimate) up until delivery (e.g. phishing).

Trojan-droppers

Trojan droppers are seemingly innocent applications that ‘drop’ malicious applications by executing code. The code either decrypts and executes a malicious payload within, or downloads and installs malware from an external server. The use of trojan droppers has become increasingly common among cybercriminals. Anubis and Agent Smith are just some recent examples of successful and widely spread malware that have been found to utilize trojan droppers.

Droppers are favoured by threat actors because they overcome the two obstacles mentioned above. Droppers do not explicitly exhibit malicious behaviour, they simply execute instructions to download, decrypt and install programs. Moreover, different droppers carrying the same malicious payload generate different hashes[3], rendering the use of malware hashes to identify trojan droppers ineffective. These characteristics help to bypass malware detection systems.

Besides, droppers can also entice users to download them. These droppers are usually packaged as useful utility apps such as currency convertors, or apps with ever-present demand such as gaming, gambling, or pornography.

Dropper apps carrying the Anubis found on the Google Play Store[4]. (Source: Trend Micro)

Social Engineering Attacks Using Social Media and Messaging Apps

Social media and messaging apps are a popular malware delivery channel used to carry out social engineering attacks. Victims can be tricked into downloading trojanized applications through psychological manipulation.

An example of such malware delivery would be ViperRAT, an advanced persistent threat (APT) that targeted the Israeli Defence Force. It has surveillance capabilities used to collect personally identifiable information (PII) and private content such as stored images and device information.[5] The threat actor behind ViperRAT made use of fake social media profiles passing off as young and attractive women to contact members of the Israeli Defence Force.

As seen in the image below, these fake profiles initiated chat and built rapport with their victims, eventually requesting them to install another chat app if they would like to continue chatting. These chat apps, however, would be trojanized versions of legitimate chat apps, containing ViperRAT-related payloads.

Social engineering attack via social media used by ViperRAT threat actor[6]. (Source: Dark Caracal Part 1, Kaspersky Security Analyst Summit 2018 by Cooper Quintin (EFF) & Michael Flossman (Lookout)

In reality, malicious actors commonly use combinations of different delivery methods and channels to increase the chance of successful malware delivery. In the ViperRAT case, the trojanized chat app functioned as a dropper that installed a secondary application containing malicious surveillance functionalities.[7]

Command and Control Servers (C2)

After successful delivery, the next step in the mobile malware lifecycle would be the installation of malware in preparation for carrying out the exploit. At this stage, malicious actors commonly make use of Command and Control Servers (C2), and abuse permissions defined by the mobile OSes.

Command and Control Servers are used to communicate with compromised devices. The communication can range from a dropper downloading a malicious application from the C2, to the malicious app itself getting resources from and sending data such as personally identifiable information (PII) to the C2.

Traditionally, the URL or IP address of the C2 server would be placed within the malware’s codebase.

Rotexy C&C URL within its code, 2015. (Source: Kaspersky securelist.com)

However, malicious actors today have turned to more novel ways to mask their C2 servers. An example would be how the banking trojan, Anubis, made use of social media including Twitter and Telegram to retrieve the address of their C2 server. Researchers at PhishLabs found links to social media accounts and channels instead of plaintext C2 URLS within Anubis code samples[8]. These social media accounts have been observed to post encoded strings and even Chinese characters converted from these strings, which researchers have identified to be obfuscated C2 URLs[9]. Devices infected with the malware would obtain the encoded strings from these social media accounts, decode them to get the C2 URL, and then proceed to page home to the C2.

URL to telegram channel with encoded C2 String found within Anubis code. (Source: PhishLabs)

As mentioned by the Sophos team, who also investigated this C2 obfuscation technique used by Anubis, the use of social media accounts to share encoded C2 URLs also gave bad actors the flexibility to push out new C2 URLs to bots[10].

Permissions Abuse

The top two mobile OSes today, Android and iOS, both use permission-based access control. Applications are required to be granted necessary permissions before being allowed to execute certain actions. In the Android framework, permissions are largely related to system features such as accessibility services and accessing personal data. App developers are required to specify what permissions their application needs, with users being asked to approve these permissions before the app runs.

This means that during the installation of malware, malicious actors would still need to procure the permissions required by their malware to carry out its exploits. Targets with poor cyber hygiene (operational security habits) who do not make it a habit to check requested permissions before installing apps will likely end up being victims.

These actors have used tricks to get victims to accept these permissions. In the case of Anubis, the malware downloaded from the C2 server masquerades as ‘Google Play Protect’ and requests that critical permissions be granted[11]. Users who are not careful would be tricked into believing that this request for permissions is related to an update of the official ‘Google Play Protect’.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

[1] https://www.geeksforgeeks.org/google-play-protect-how-it-detects-and-removes-malicious-apps/

[2] https://www.android.com/play-protect/

[3] https://securelist.com/mobile-malware-evolution-2018/89689/

[4] https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/

[5] https://blog.lookout.com/viperrat-mobile-apt

[6] https://www.youtube.com/watch?v=7X0D2gX1PD0

[7] https://blog.lookout.com/viperrat-mobile-apt

[8] https://info.phishlabs.com/blog/bankbot-anubis-threat-upgrade

[9] https://info.phishlabs.com/blog/bankbot-anubis-telegram-chinese-c2

[10] https://news.sophos.com/en-us/2019/05/01/how-anubis-uses-telegram-and-chinese-characters-to-phone-home/

[11] https://www.maketecheasier.com/anubis-android-malware-steals-money-from-users/