The Anti-virus Times

Tuesday, November 22, 2022

Almost all of us have mobile gadgets: a smartphone or a tablet. Today two players completely dominate the world’s mobile device market: Google and its Android operating system, and Apple with its iOS operating system. Which one is better is a matter of eternal dispute with an infinite set of arguments from both sides. We will only note that these systems are antipodes that oppose each other in terms of “openness” and “closedness”, “freedom” and “strict limits”. For example, iOS is designed to work only on Apple devices. And Google's operating system "works" literally on all other mobile gadgets and on many IoT devices that are produced by a variety of manufacturers. Another important difference is that by default, users can only install apps from the AppStore on their iOS devices. This restriction can be bypassed, but it's not a fact that a common user will be able to do this. But Android allows users to install apps not only from its official catalogue but also from any other source. Android's versatility combined with its popularity, by default, adversely affects security. In this Anti-virus Times issue, we will talk about fake Android apps that can pose a real threat to users.

Here we'll acknowledge straightaway that Apple devices can also be attacked by cybercriminals. However, the "closedness" of the OS itself, as well as the fairly thorough moderation of applications downloaded to the App Store, prohibits cybercriminals of all stripes from completely "running wild". Of course, iPhones can also have (and do have) vulnerabilities that are detected from time to time by both researchers and hackers. But if we are talking about mass malicious applications, owners of Android devices are much more threatened.

As we already mentioned, Android allows a user to install applications not only from official catalogues but also from any source. Installation files have the .apk extension. They can be downloaded from the Internet, or via email or messengers. The main danger is that nobody moderates such programs, so the risk of running malware on your phone increases manifold. The Android built-in protection tools are not equipped with a wide array of features. At startup, a user will only be presented with the list of permissions requested by whatever particular application is being installed. Modified, hacked versions of legitimate programs are often distributed as APK files. One can’t say with 100% certainty whether an APK file is malicious; only a virus analysis, which is out of the question for inexperienced users, can prove this.

Often, an application can be disguised as a harmless program, but it can contain hidden features. Every month we publish virus reviews and also include information about common mobile device threats in them. Unfortunately, the official Android application catalogues can also contain advertising, unwanted and even malicious programs. Let's recall the most common of them to understand what threat they can pose to users.

Most often, malicious modules embed themselves into a variety of applications that are disguised as image editors, on-screen keyboards, system utilities, call applications, programs for replacing the background image of a home screen, and others. One of the most widespread threats in recent times is the trojan family detected by Dr.Web products as Android.HiddenAds. These malicious programs are most often distributed under the guise of useful programs or games that can be downloaded from Google Play. They are designed to show annoying ads. To make it harder for them to be detected in a system, they hide their icons in the main screen’s list of installed applications or replace them with less noticeable ones.

But even more dangerous trojan families can be found on Google Play. For example, Android.Joker trojans, which can execute arbitrary code, steal data from the phone book, intercept SMS messages, and automatically sign users up for paid premium services. This trojan family is also distributed under the guise of harmless programs – image collections, graphic editors and other utilities. There are numerous other trojan families. Some of them steal passwords and other personal information, and the rest display advertising banners, interfering with a mobile device’s normal operation.

It should be noted that such dangerous applications can contain the declared features, while the malicious modules will work covertly. This situation is doubly dangerous for the user, as a trojan can "live" in a system for a long time, performing destructive functions. For example, earlier our virus analysts found dozens of mobile games containing Android.Cynos.7.origin in the official AppGallery catalogue. The scale of the threat turned out to be truly great because at the time of the discovery, the "infected" games had been downloaded by millions of users. When the game was being installed, the trojan would request permission to manage phone calls, which, unfortunately, did not bother many of the large number of players.

In one of our issues of the Anti-virus Times, we’ve already written about permissions for Android apps. We recommend that you reread that material and always closely monitor the activity of applications, even if they are downloaded from official sources.