Cybercriminals use Google Cloud Messaging service to control malware on Android devices

Kaspersky Lab researchers identified Android malware threats that receive commands from attackers through the Google Cloud Messaging service

Cybercriminals are controlling malware on Android devices through a Google service that enables developers to send messages to their applications, according to security researchers from antivirus vendor Kaspersky Lab.

Google Cloud Messaging (GCM) for Android allows developers to send and receive different types of messages to and from applications installed on Android devices. A developer can, for example, send messages that contain up to 4KB of structured data from a server the developer owns through a Google-run GCM server to all user installations of the developer's GCM-enabled apps. The applications don't even have to be running on user devices as the received messages will be broadcast by the Android OS and the targeted apps will be woken up.

The GCM message data can include links, text advertisements or commands, said Roman Unuchek, a senior malware analyst at Kaspersky Lab, Wednesday in a blog post.

Researchers from the antivirus company have already identified multiple Android malware threats that use GCM as a primary or secondary command-and-control channel.

One of them is called Trojan-SMS.AndroidOS.FakeInst.a and can send text messages to premium-rate numbers, delete incoming text messages, generate shortcuts to malicious sites and display notifications advertising other malicious programs as useful apps or games, Unuchek said.

Kaspersky found over 4.8 million installers for FakeInst.a to date and during the past year the company's mobile antivirus product blocked over 160,000 attempted installations of this Trojan program, the researcher said. FakeInst.a was detected in over 130 countries, but it primarily targets users in Russia, Ukraine, Kazakhstan and Uzbekistan, he said.

Another Android malware threat that uses GCM to receive commands and updates is called Trojan-SMS.AndroidOS.Agent.ao. This malware program is usually disguised as a porn app, but like FakeInst.a, its purpose is to send premium-rate text messages and display ads in the Android notification area.

"In total, KMS blocked over 6,000 attempts to install Trojan-SMS.AndroidOS.Agent.ao," Unuchek said. "This Trojan targets mainly mobile devices in the UK, where 90 percent of all attempted infections were detected."

Other Android malware programs that use GCM for command-and-control purposes and were identified by Kaspersky researchers include Trojan-SMS.AndroidOS.OpFake.a with over 1 million detected samples and 60,000 infection attempts, Backdoor.AndroidOS.Maxit.a with over 40 variants and 500 blocked installation attempts, and Trojan-SMS.AndroidOS.Agent.az with over 1,000 modifications and 1,500 attempted installations.

One problem with GCM is that neither users nor mobile antivirus programs can block malicious messages received through it because they are delivered by the OS itself, Unuchek said via email. "Antivirus software cannot block system activities."

The only way to block this channel of communication between virus writers and their malware is to block the developer accounts whose IDs are being used to register malicious programs with GCM, he said. "We have informed Google about the detected GCM IDs that are used in malware."

There isn't currently a large number of malware programs that use GCM, but those that do exist are widespread in some parts of western Europe, the Commonwealth of Independent States (CIS) and Asia, Unuchek said.

GCM seems to be a very cheap and easy instrument for cybercriminals to use, so it's likely the service could be abused to a greater extent in the future unless the bar for cybercriminals is not raised higher through countermeasures, the researcher said.

In addition to disabling developer IDs that are found to abuse the GCM service, it might also be a solution to actively analyze GCM messages for malicious content in a way similar to how intrusion detection systems analyze network traffic, Unuchek said.

Google did not immediately respond to an inquiry asking for information about the methods it uses to prevent malware writers from abusing the GCM service.

Join the PC World newsletter!

Error: Please check your email address.

Tags mobile applicationsAndroid OSGooglesecuritymobile securitymobilemalwarekaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?