Cybercriminals use Google Cloud Messaging service to control malware on Android devices

Kaspersky Lab researchers identified Android malware threats that receive commands from attackers through the Google Cloud Messaging service

Cybercriminals are controlling malware on Android devices through a Google service that enables developers to send messages to their applications, according to security researchers from antivirus vendor Kaspersky Lab.

Google Cloud Messaging (GCM) for Android allows developers to send and receive different types of messages to and from applications installed on Android devices. A developer can, for example, send messages that contain up to 4KB of structured data from a server the developer owns through a Google-run GCM server to all user installations of the developer's GCM-enabled apps. The applications don't even have to be running on user devices as the received messages will be broadcast by the Android OS and the targeted apps will be woken up.

The GCM message data can include links, text advertisements or commands, said Roman Unuchek, a senior malware analyst at Kaspersky Lab, Wednesday in a blog post.

Researchers from the antivirus company have already identified multiple Android malware threats that use GCM as a primary or secondary command-and-control channel.

One of them is called Trojan-SMS.AndroidOS.FakeInst.a and can send text messages to premium-rate numbers, delete incoming text messages, generate shortcuts to malicious sites and display notifications advertising other malicious programs as useful apps or games, Unuchek said.

Kaspersky found over 4.8 million installers for FakeInst.a to date and during the past year the company's mobile antivirus product blocked over 160,000 attempted installations of this Trojan program, the researcher said. FakeInst.a was detected in over 130 countries, but it primarily targets users in Russia, Ukraine, Kazakhstan and Uzbekistan, he said.

Another Android malware threat that uses GCM to receive commands and updates is called Trojan-SMS.AndroidOS.Agent.ao. This malware program is usually disguised as a porn app, but like FakeInst.a, its purpose is to send premium-rate text messages and display ads in the Android notification area.

"In total, KMS blocked over 6,000 attempts to install Trojan-SMS.AndroidOS.Agent.ao," Unuchek said. "This Trojan targets mainly mobile devices in the UK, where 90 percent of all attempted infections were detected."

Other Android malware programs that use GCM for command-and-control purposes and were identified by Kaspersky researchers include Trojan-SMS.AndroidOS.OpFake.a with over 1 million detected samples and 60,000 infection attempts, Backdoor.AndroidOS.Maxit.a with over 40 variants and 500 blocked installation attempts, and Trojan-SMS.AndroidOS.Agent.az with over 1,000 modifications and 1,500 attempted installations.

One problem with GCM is that neither users nor mobile antivirus programs can block malicious messages received through it because they are delivered by the OS itself, Unuchek said via email. "Antivirus software cannot block system activities."

The only way to block this channel of communication between virus writers and their malware is to block the developer accounts whose IDs are being used to register malicious programs with GCM, he said. "We have informed Google about the detected GCM IDs that are used in malware."

There isn't currently a large number of malware programs that use GCM, but those that do exist are widespread in some parts of western Europe, the Commonwealth of Independent States (CIS) and Asia, Unuchek said.

GCM seems to be a very cheap and easy instrument for cybercriminals to use, so it's likely the service could be abused to a greater extent in the future unless the bar for cybercriminals is not raised higher through countermeasures, the researcher said.

In addition to disabling developer IDs that are found to abuse the GCM service, it might also be a solution to actively analyze GCM messages for malicious content in a way similar to how intrusion detection systems analyze network traffic, Unuchek said.

Google did not immediately respond to an inquiry asking for information about the methods it uses to prevent malware writers from abusing the GCM service.

Join the PC World newsletter!

Error: Please check your email address.

Tags mobile applicationsAndroid OSGooglesecuritymobile securitymobilemalwarekaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?