Legitimate Android apps are being compromised by phony versions that masquerade as the real thing but deliver a payload of malware, according to a Symantec blog published yesterday.
Found on unregulated third-party Android markets, malicious versions of legitimate apps like Steamy Window are difficult to distinguish except for their tendency to request permissions that are more excessive than usual, says Symantec. But once installed, these apps carry a new piece of Android malware dubbed Android.Pjapps.
Even running the app doesn’t raise a red flag to the user as the fakes closely look and act like the legitimate versions. But behind the scenes, these Trojans are actually trying to build a botnet that can take over the device by installing apps, adding bookmarks, sending out spam, and texting messages to premium-rate numbers.
Symantec notes that none of the domains identified in the traffic between the bot and its C&C (command and control) servers are as yet active. But the company believes the goal behind this piece of malware is to push out ads and send out texts to premium-rate phone numbers, resulting in expensive charges for the user.
As Android has grown in popularity, it’s naturally become more of a target for cybercriminals. Revealed last August, another piece of malware called Trojan-SMS.AndroidOS.FakePlayer.a, was believed to be the first SMS Trojan to pop up on Android-based devices and was also designed to send texts to premium-rate numbers.
Symantec told CNET that it didn’t want to name the specific Android marketplaces where it found the malware since they are legitimate sites where people can create and share apps. The author of Android.Pjapps simply targeted these sites. However, this type of vulnerability does point to the problems that Android owners can face when using unregulated app markets, leading Symantec to recommend that people download apps only from the official app market.
The threat of Android.Pjapps seems limited for now since Symantec has rated its risk factor as very low. The company explained that the bot earned a very low risk rating for three reasons: 1) Few people are downloading apps from unregulated app stores; 2) A specific setting in the Android OS lets people disable the downoad of apps from unofficial marketplaces; and 3) The C&C servers are not currently active.
But still, all it takes is one wrong download to compromise a device.
To guard against this type of threat, Symantec offers a few pieces of advice:
- Use only regulated Android marketplaces to download and install apps.
- Turn on the option to stop the installation of non-market apps, which is available in the Android OS application settings.
- Check user comments in the marketplace to help determine if a certain app is safe to download.
- Finally, be aware of the access permissions requested during the installation of an Android app. If they seem excessive, stop the installation.
Updated at 11:42 a.m. PT: with additional information and comments from Symantec.