The Android Malware Invasion: Here Are Three of the Worst

This year, Android malware is expected to increase 200% when compared with its level in 2013. According to researchers at G Data, over 6,000 Android malware samples a day were discovered in the second quarter of 2015. There are a number of reasons for this startling increase. First of all, over 64% of the world uses Android devices (48% in the U.S.). This alone shows attackers that this operating system holds loads of potential riches. Secondly, more and more people are making payments through their Android devices, and this is expected to increase exponentially over the next 5 years. Thus, attackers can position themselves to ride these mobile devices right into the users’ bank accounts. But the main reason that malware makers are targeting Android, and smartphones specifically, is that so many mobile device users simply don’t believe that malware is a problem. Many still believe that viruses are the purview of desktop computers. Mobile devices are, therefore, the low-hanging fruit of the hackers’ world.

With this in mind, I decided to look at three of the most prevalent and dangerous malware packages now making the rounds. To make this list, I rated various malware samples on the cleverness of their attack vector, the ability to remain unseen, the potential danger posed by the malware, the number of victims, and the difficulty of removing it. Obviously, with millions of malware samples available, I can’t look at them all, but keep in mind that many are based on similar architectures with slight variations.

NGE Mobi

(Identified by FireEye on September 22)

 The name comes from the mobile app promotion company based in, who would have guessed, China. They guarantee that app designers who use their service will get lots of downloads. Hmm, that sounds somewhat suspicious. How on Earth could they do that? Well, the company preys on users who download apps from third party app stores/sites. These apps appear legitimate and will work, but hidden within them is the malware which does the ‘promotion’ work. Some of the apps compromised so far have been, Amazon, Memory Booster, Clean Master, PopBird, YTD Video Downloader, and Flashlight. You can expect many more to be compromised in the future.

The attack process can be seen in the following diagram:


To put it simply, the malware uses third party apps to take full control of your device and then use it to promote various apps or advertising, which makes their customers happy and, hopefully, rich. NGE Mobi appears similar to another recently discovered malware named, Ghost Push, which also promotes apps and ads.

NGE Mobi tricks the victim into automatically downloading and installing apps, bypassing any necessary permission acceptance. If a user clicks on an ad for an app, it will be instantly installed and be nearly impossible to remove, since these apps can be set to boot in when the phone is activated. Even a factory reset can’t remove them. It’s the fact that these apps can’t be removed that makes the victim begin to think that something is wrong with their device. Since the attacker has complete control of the device, they can do whatever they want with it. Users may think the malware is nothing more that an annoyance as it puts apps on the device that are so persistent. However, the potential exists for future variants of NGE Mobi to become quite dangerous and do much more than just promote apps and ads.

Mapin Trojan

(Identified by ESET on September 22)

 The only type of app promotion malware that would be more dangerous than the NGE Mobi would be one that didn’t rely on downloads from third party app sites. In other words, malware that could operate in legitimate stores, like the Google Play Store. Such an attack vector would constitute a significant ratcheting up of the danger level. Well, now researchers have identified malware that can work from within legitimate-looking Google Play apps. It is referred to as the Mapin Trojan.

Apparently, the designers took the code from legitimate apps and put their malware code within it. They then repackaged the app and gave it a name that was similar to the original app. They did not simply put their own malware package into legitimate apps, like most attackers do so as to sneak in on valid certification. In the Mapin Trojan attack, the original apps are not taken over. They are ‘new’ apps that look like the originals. Notice the slight misspellings and so on in the app names that make them appear to be the real thing (USubway Suffer, Plant vs Zombie, Super maria).


The goal of the attacker is to take full control of a victim’s device and make it part of a botnet. Unlike most malware, Mapin doesn’t deploy the instant the app is installed. It comes with a delay switch which may make the malware wait for up to 3 days before it becomes functional. During the waiting period, the game/app performs normally so that when the malware begins its activities, the app does not seem to be connected with the problem. According to ESET, this feature may have allowed it to circumvent detection by the Google Play Store.

After the waiting period, the malware displays a notification that seems to be coming from the device’s operating system. The fake notice is disguised as Google Play Update or Manage Settings. As ESET points out, “its main purpose, controlled from the remote server, is to deliver aggressive advertisements to the end user while pretending to be a system application.” Since it controls the end user’s device, this is not a problem.

fake notice

Press ‘install’ and the malware begins its work. Press ‘cancel’ and the victim will be nagged repeatedly with the same notification until they finally succumb. The malware will then submit a similar notice asking for administrator rights. (The malware uses Google Chrome Messenger to communicate with its server.)

A number of Mapin infected apps could still be available on legitimate download sites. It is suggested that downloaders check permissions carefully and, most importantly, read the comments of other users to see if they are having any unusual problems with their devices after installing these apps. Look for comments which indicate problems with removing ads or apps.


(Identified by AdaptiveMobile on October 8)

 Of all the Android malware making the rounds these days, this one has the greatest potential for doing harm. The malware emanates from China and even the Chinese government has issued warnings against it, so you know it must be bad. There are numerous names for this malware and numerous variants as it appears to be growing in sophistication over time. The purpose seems to be long term monitoring of the device it has infected.

The attack begins with an SMS message seemingly from a friend. Actually, it does come from a friend’s device, but the friend’s device is controlled by the malware. Sometimes the friend wants to share a photo with the victim, sometimes a work document, and sometimes the SMS will contain a threat to disclose a compromising photo. Many tricks are used, which indicates that a certain amount of social engineering seems to have been done by the attackers to make the SMS seem more legitimate. In any event, when the victim clicks on the link in the SMS, they are sent to an app store. If the SMS was a lure to view a photo, the app store may suggest installing a particular photo viewer, if the link was to view a document, the victim may be prompted to use a certain document viewer, and so on. If the victim decides to download the suggested app, they will be asked to give certain permissions for it as follows.


Notice that the app is looking for some serious control over the victim’s device. If the victim gives the permission, the malware then hides itself while extracting information from your contact list and reading every SMS you send or receive. In this way, it can probably learn what type of SMS message to send to various contacts and continue the attack on them. They not only have control of you, they have control over all of your contacts, or soon will. With their network expanding, they can gather extensive information on numerous individuals. If an SMS contains sensitive banking information, they can use that as well. In fact, AdaptiveMobile reports that a “Chinese resident clicked on a link from his phone and downloaded the malware. Hackers then received his online banking authentication code via SMS and transferred money from his four different accounts”. Although the malware is currently restricted to China, there is little doubt that it could spread rapidly into other regions in the not so distant future. There is also the possibility that other criminal organizations may back engineer this malware for their own purposes. In any event, AdaptiveMalware points out that “the scale of this infection is unknown, but we can confirm that the campaign is very active. Almost every day we’re detecting a new download link and new variations of the malware.”

Implications for companies, institutions, and governments

 For the moment, it looks like the three types of malware discussed above are focused on making financial gains for its operators. However, all of them are sophisticated enough to be tweaked to do far more. If your enterprise allows employees to connect to its network through mobile devices, you could be putting yourself and your enterprise data in a dangerous position. It would be a simple matter for this malware to leverage its control over an endpoint to gain access to your network. Once there, it could take whatever the remote operators want it to take. Your employees’ problem suddenly becomes your problem.

This problem could be solved in a number of ways. Companies could give employees phones that the company has total control over and, thereby, limit what employees can do with them. This, however, may be an expensive proposition for larger companies. Companies can also restrict what users do with their own devices, but this often causes disputes over who, in fact, has control over employees’ phones. Often these restrictions lead to employees finding ways to circumvent restrictions. A third way is to have employees use security architecture that separates the employees’ device into two virtual devices at the hardware level. This allows employees to do whatever they want on their personal side of the device while preventing malware from crossing over when they switch to the network side.

Although this post focuses on Android malware, don’t be deceived into thinking that other operating systems are any safer. Apple’s iPhone App Store, for example, has recently experienced a serious attack. There is little doubt that attacks via smartphones will become more frequent and more sophisticated. The next big corporate or institutional breach will most likely be traced to one employee making one mistake, probably by clicking on a link or downloading an app that they shouldn’t have. But one mistake can cost millions of dollars, expose sensitive data, and even compromise national security. It’s something to think about.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s