The Persistent Threat of Android Malware

Android users must be aware of current emerging threats as well as available security updates.

In a world where mobile users flock to  Android or iOS devices, news of an emerging threat impacting either one of these platforms is certainly enough to garner attention. According to recent statistics, there were more than 2 billion active Android users across the globe in May 2017, and many of these endpoints are leveraged by users for work purposes. In this type of landscape, it's imperative that individual users and business leaders alike remain in the know about newly discovered threats, as well as the best practices that can be used to better safeguard Android devices.

Android Security Bulletin: Addressing Continuing Threats

A security bulletin issued by Android is nothing new. At the same time, these notifications aren't something that Android users – particularly those who utilize their devices to access sensitive corporate assets – should ignore.

"Security bulletins aren't something that Android users should ignore."

Toward the beginning of July, Google released its monthly security bulletin, which included two patches aimed at addressing continuing vulnerabilities spotted a few months earlier. According to Trend Micro Technical Communications Researcher Giannina Escueta, this particular bulletin comes as a result of Mediaserver issues that have plagued Android devices since March. These problems include vulnerabilities that can be exploited for memory corruption, as well as to execute remote code.

The bulletin also sought to pinpoint and resolve vulnerabilities within the Media framework, Broadcom, Qualcomm components, as well as 55 high-rated Qualcomm closed-source component issues. Although these problems pose a considerable threat to Android users – including the potential for a hacker to execute arbitrary code within a privileged process context, according to the Android Open Source Project – it appears Google was able to release patches before these exploits were harnessed by malicious actors.

"We have had no reports of active customer exploitation or abuse of these newly reported issues," Android Open Source Project reported.

Android Judy Malware Impacts Millions of Users

The above-described situation – wherein a patch was created before a vulnerability could be used for active infection – isn't always the case with mobile malware, however. Earlier this year, an Android malware sample dubbed "Judy" reportedly impacted a significant number of users, to the tune of 36.5 million victims, according to BGR contributor Yoni Heisler.

The malware sample, discovered by Check Point researchers in mid-May, was found to enable revenue-generating malicious activity, and was supported by more than 40 infected apps within the Google Play store.

"Notably, some of the offending apps have been available for download for years, though at this point it remains unclear if the malware was always present or perhaps inserted later on via [sic] a software update," Heisler wrote.

Once downloaded by a victim, a Judy-infected app establishes a connection with a Command&Control server, which sends the malicious JavaScript payload. The malware then opens a URL that is redirected to another site. From here, the sample is able to locate and click on Google ad banners, generating revenue for the malware author from the website developer paying for "legitimate" website traffic, researchers explained.

Israeli Hospital Attacks: Android Malware Discovered

Judy wasn't the only particularly harmful Android threat emerging recently. According to Trend Micro researchers, an attack campaign impacting Israeli hospitals this year also exposed a dangerous Android malware capable of taking over victim devices. The threat, detected by Trend Micro researchers in July, has been named GhostCtrl, and hinges on the ability to leverage several device functionalities.

Making GhostCtrl even more of a formidable threat is the fact that there are currently three versions of the Android malware – one designed to steal information and control certain baseline device functions, a second created to support even more control over victim device capabilities, and a third iteration combining the malicious activity enabled by the first two versions.

"Based on the techniques each employed, we can only expect it to further evolve," Trend Micro researchers noted.

Supporting BYOD: Safeguarding Android Devices Used for Work

As threats continue to emerge in connection with Android devices, it's imperative that IT leaders and other corporate stakeholders understand what they can do to support their organization's mobile security posture. There are a few best practices that businesses can employ to improve their protection against mobile malware, including:

  • Ensure patches are applied as quickly as possible: Whenever an update is released, it's important that employees are urged to install these with as little delay as possible. As with Android's July security bulletin, patches can be created before hackers have a chance to exploit them. However, these are only effective when devices are updated in a timely manner.
  • Restrict access when possible: Because mobile devices can open up opportunities for hackers to access sensitive business data, it's important that the company has specialized permissions set up for certain users. Not everyone needs access to all of the company's data and systems. Creating user permission tiers that align with an employee's access level can help reduce the chances of data leaks.
  • Have a strong mobile device management policy: This policy will help direct acceptable use within the organization, including how sensitive data is accessed via BYOD mobile devices. A strong policy can considerably reduce security risks.
  • Leverage an app reputation system: Trend Micro noted this system should be able to identify malicious or suspicious apps that could provide an opening for hacker activity.
  • Safeguard data with encryption: This security measure ensures that even if a malicious actor is able to infect a device, he or she will be unable to leverage sensitive data stored on the endpoint.

To find out more about how to safeguard Android devices and strengthen your company's mobile security posture, contact the experts at Trend Micro today.

Leave a Reply