Server-side polymorphic Android apps

Server-side polymorphism as a technique to serve unique malware versions that evade signature-based detection to Windows users is used by many malware peddlers on a regular basis, but Symantec researchers have only recently begun spotting the same approach being used for pushing out malicious Android apps.

These apps are being offered on a number of Russian websites, where users can purportedly download free versions of popular Android software – in this particular case, the Opera Mini mobile browser.

“The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family,” says Symantec.

The served malicious apps change in three ways:

• Variable data changes – mostly in a single database file containing a list of premium numbers and messages that the malware sends when active
• File re-ordering – changing the order of the code and data files within the application package
• Adding dummy files – inserting one or more (sometimes even as high as forty) .temp files containing a innocuous image into the application package.

“Once the packages are downloaded and installed on the phone, SMS messages are automatically sent and the browser opens certain websites that are hosting further malware and/or the actual legitimate Android applications,” say the researchers, and point out that while the websites hosting these malicious app variants are Russian, the actual apps target users from a variety of European and Asian countries, as well as those from Israel and Australia.

As always, users are advised to carefully review the permissions every app they want to install asks of them. The permission to send SMS messages should always be one that makes you think twice about it.