New Malware Bypasses Android Market, Downloads Directly to Mobile Phones
Lookout Mobile Security is warning of a new kind of Android malware that bypasses Google's protections and targets the user's phone directly.
Dubbed GGTracker by Lookout Mobile Security researchers, the latest Android malware is spread through in-app advertisements, Tim Wyatt, a software engineer at Lookout Mobile Security, wrote on the company blog June 20. When a user clicks on various ads, such as for adult content or mundane battery saving tools, the user is directed to a Web site designed to look like the Android Market.
It appears that malware developers made this move because Google is getting more vigilant about keeping malware-tainted apps off the official Android Market. Google removed more than 25 applications from the Android Market after it discovered they were actually legitimate apps that had been repackaged with DroidDream Light, a variation of an earlier data-stealing Trojan. Google had removed over 50 apps infected with DroidDream from the Market in March.
"We believe Android users are shown an advertisement that directs them to a malicious Web site that resembles the Android Market installation screen," Wyatt wrote.
Lookout did not have an estimate for how many users may be infected, but said it targets users in the United States. It was also unclear which smartphone apps had the ads that were helping to spread the malware.
Normally, malware is hidden inside an application that is downloaded from an app market, whether it is from the official Android Market or any of the several third-party app stores that exist. The latest Android threat is packaged in such a way that it can be downloaded directly from the Web. The APK, or Android application package file that contains the compiled code and related files necessary for installation, is available directly from this site and saved on the device's downloads folder.
In the case of GGTracker, when the user decides to get an app, the site directs the user to an installation page that looks and behaves just like the Android market. Users might be tricked into thinking the site is a Google-created site because it looks like the official Market, Wyatt said.
"To our knowledge, this malicious application is not found in the Android Market," Wyatt said.
The fake installation page prompts the user to start the Android downloader to install the APK file from the downloads folder. Once installed, the malicious app pings multiple servers that subscribe the user's phone number to different premium SMS subscription services.