Cybercriminals have been spotted using a novel method of controlling Android mobile malware: a legitimate service called Google Cloud Messaging.
GCM has been created to allow app developers to send small packets of data from servers to their Android applications installed on Android devices or to their Chrome apps and extensions. This packets usually contain advertising information, links, or commands for the app to execute, and are often used to push in-app messages to users.
“In order to use this service, a developer must first receive a unique ID for his applications, which will be used to register the applications with GCM. After registration, the developer may send data to all devices on which the registered applications are installed, or to just some of them,” Kaspersky Lab expert Roman Unuchek explains.
The service was introduced a little over a year ago, and it was just a matter of time until malware developers began to use it.
Kaspersky Lab researchers have discovered a couple of instances where Android Trojans used GCM as a C&C server.
Most of them are capable of sending text messages to premium numbers, and some, like OpFake and FakeInst, can also steal or delete incoming messages, create shortcuts to malicious sites, display ads for other malicious programs disguised as legitimate apps or games, collect contact information and information about the phone and the SIM card and send it to a remote server, and more. Both of these Trojans have been installed by millions of users.
It’s interesting to note that when installed and run, OpFake first contacts its C&C server then registers with GCM, but that GCM and the C&C have equal rank when it comes to sending commands.
“Even though the current number of malicious programs using GCM is still relatively low, some of them are widespread. These programs are prevalent in some countries in Western Europe, the CIS, and Asia,” shared Unuchek, and added that the biggest problem is that infected users cannot block the messages sent via the GCM.
The only way to do it is to block developer accounts that are discovered using this service in a malicious way, and revoke the GCM IDs associated with the malicious apps.