Our Android Malware Summary for the Year 2013

February 21st, 2014

In 2013 our Mobile-Sandbox analyzed over 150,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. Within this huge amount of data our system detected a bunch of malicious and unwanted applications belonging to 44 different and newly discovered malware families.

Most of these malicious applications had been downloaded from Third-Party markets, but we also found 4 malware families with samples that had been downloaded from the official Google-Play market. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:

Characteristics Share in 2013 Difference to 2012
Families that steal personal information 61,4 % + 10,1 %
Families with characteristics of a Botnet 25,0 % + 1,5 %
Families that send premium rated SMS messages 18,2 % - 11,9 %
Families that install additional applications 11,4 % + 1,0 %
Families downloaded from the Google-Play Market 9,1 % - 2,2 %
Families that contain Root-Exploits 9,1 % - 9,2 %
Families that steal location related data 9,1 % + 0,4 %
Potentially unwanted applications 9,1 % + 1,3 %
Online-Banking Trojans 6,8 % + 3,3 %
Families which are able to infect a connected Windows PC 4,5 % + 4,5 %
Commercial Trojans or Spy-Kits 2,3 % + 2,3 %

More than 60% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn't harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns. This kind of threat has increased by more than 10% as compared to 2012.

Last year´s second most common threat -- sending premium rated SMS messages -- has lost nearly half of its share within newly discovered malware families. We assume that it has to do with the security features of Android 4.x as well as the awareness of telephony and service providers.

The most dangerous malicious samples are those that come with their own root exploit. If this exploit works properly, the attacker can do nearly everything with the infected device without the knowledge of the smartphone user. This kind of malicious behavior was found in more than 9 % of the 44 new malware families (which is also half as common as compared to 2012).

Within 2012 a huge amount of banks switched from the common TAN procedure to the mobile TAN (mTAN) for additional security. This trend can also be seen when looking at the malware families. In 2012 we detected 4 different families (3,5 %) that try to intercept and modify this mTAN messages. In 2013 it went up to 6,8 % of newly analyzed malware families. This kind of malicious Android apps are extremely dangerous: If the computer and the smartphone of an online banking user are infected with this kind of malware, the attacker can modify each transaction without the knowledge of the infected user.

There were two newly discovered kinds of malware in 2013: Commercial trojans/spy-kits (which are -- more or less -- legally sold on the Internet) and trojans that are able to infect a connected Windows PC. Both kinds of malware were distributed very seldomly with only 2 - 5 %.

With Android.Chuli we have also seen the first publicly known targeted attack where Android smartphones were involved as main entity in the attack.

ADEL goes open-source

March 2nd, 2013


Our forensic framework for smartphones running the Android OS is now open-source and available on GitHub.

The documentation and some other useful information regarding ADEL is available here.

Cracking Android’s full disk encryption

February 14th, 2013


At the end of 2011, Google released version 4.0 of its Android operating system. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance to recover data other than bruteforce is lost.

We present FROST (Forensic Recovery Of Scrambled Telephones), a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we demonstrate our attacks practically against Galaxy Nexus devices from Samsung.

The FROST version for the Galaxy Nexus and some more information to the topic can be found here.

The technical report with all details to the cold-boot-attack inside our FROST recovery image can be found here.

Android Malware: Aktuelle Gefahren und Einblicke in eines der bekanntesten Analysesysteme

February 10th, 2013


Da sich Mobiltelefone immer größerer Beliebtheit erfreuen, rücken sie auch immer weiter in den Fokus von Kriminellen. Waren vor ein bis zwei Jahren nur einige hundert bösartige Applikationen für mobile Endgeräte in der freien Wildbahn bekannt, sind es heute schon weit über 200.000 und es kommen täglich neue Schädlinge hinzu. Der Funktionsumfang dieser Schädlinge reicht vom Versenden von einfachen premium SMS, über Banking-Trojaner bis hin zu ausgereiften Exploits, die das infizierte Telefon zu einem fernsteuerbaren Bot verwandeln. In diesem Artikel wird ein Überblick darüber gegeben wie die aktuelle Bedrohungslage für Android Telefone aussieht. Darüber hinaus wird eines der bekanntesten Analysesysteme für schadhafte Android Applikationen vorgestellt

Den ganzen Artikel gibt es hier.

ContrOWL: A new security app based on crowed intelligence

February 7th, 2013


One of our students has built a great security app for the Android platform with support for crowed intelligence - ContrOWL.

ContrOWL is a security app that helps you find potential threads among your installed apps. It can also check freshly added apps on the fly and notify you if an app is rated as suspicious. ContrOWL also gives you information about top used permissions and broadcast intents of malware apps which should help you to evaluate them.

Please support him and test his app!

Get it on Google Play