Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging (GCM) service and leveraging it as a command and control server to carry out attacks.
A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.
- Trojan-SMS.AndroidOS.FakeInst.a
- Trojan-SMS.AndroidOS.Agent.ao
- Trojan-SMS.AndroidOS.OpFake.a
- Backdoor.AndroidOS.Maxit.a
- Trojan-SMS.AndroidOS.Agent.az
These trojans having a relatively wide range of functions:
— Sending premium text messages to a specified number
— Sending text messages to a specified number on the contact list
— Performing self-updates
— Stealing text messages
— Deleting incoming text messages that meet the criteria set by the C&C
— Theft of contacts
— Replacing the C&C or GCM numbers
— Stopping or restarting its operations
— Generate shortcuts to malicious sites
— Initiate phone calls
— Collect information about the phone and the SIM card & upload on server
Kaspersky Lab detected millions of installers in over 130 countries and Kaspersky Mobile Security (KMS) blocked attempted installations for these Trojans.
No doubt, GCM is a useful service for legitimate software developers. But virus writers are using Google Cloud Messaging as an additional C&C for their Trojans. Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device.
The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.