Security Lab

I've been meaning to write about malware on Android for some time now, as it is definitely an issue that is on our radar screen...

I started thinking about doing a post a few weeks ago, when a very interesting article link was forwarded to me by a fellow Bluecoater: a statement from a Google employee that you don't need antivirus software for Android.

Basically, I agree with the experts from Kaspersky and others that were quoted in the article as rebuttals. While it may be strictly true that we haven't seen "viruses" for smartphones, there is certainly malware out there. (And Android, due to a combination of its market share and the overall openness of its ecosystem is probably the #1 target for the Bad Guys.) For most people "virus" == "malware"; they don't worry about hair-splitting differences in various technical definitions of different sorts of malicious software.

(While on the topic, btw, here's a link to a good article looking at the effectiveness of various free anti-malware software for Android. Executive Summary: None of them are close to "good enough" compared to the commercial AV offerings.)

Anyway, today I saw a note from one of our key researchers, Patrick, who normally focuses on botnets, but whose skills go far beyond that. He mentioned that he'd been keeping an eye on Android malware, and listed a specific site that was hosting malicious Android downloads as an example (web-androids.ru), and that was enough to prompt me to do some research and put together a blog post...

web-androids.ru is part of an on-going Android malware operation that appears to be focused (for now, at least) on Russian users. This particular domain showed up in the core WebPulse logs for only a single day: 11/30. WebPulse had auto-flagged all of the requested URLs as Suspicious, since we've been tracking this network of shady download sites for several months. It's a busy malnet, continuing to crank out new domains at a steady pace...

Yesterday, the most active domain was 1waps.ru. When I followed a sample link that led to it, it was claiming to be an upgrade site for Opera:

The key text, in the gray boxes, translates roughly as "Your version of Opera Mini browser is outdated, further work may be incorrect and lead to unexpected errors and crashes! We recommend you upgrade to Opera Mini 6.5".

Clicking on the "Skachat" (download) button yielded a small Java jar file, whose contents looked rather suspicious, and which was confirmed as SMS-malware by one of the 42 anti-malware engines at VirusTotal.

Needless to say, I'm also highly skeptical that this is actually a site run by Opera, regardless of what the copyright message says, since the domain registration shows that this site is only a couple of weeks old, and no details about the registrant are given...

So yes, smartphone malware is out there, and users would be well served to stick to authorized software download sites like app stores, and to do some due diligence to screen out fly-by-night domains like this one before downloading anything.

--C.L.