Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Android Malware Using Blog as C&C Server

Update: NetQin Mobile reached out to SecurityWeek to let us know that they had previously identified the same malware under the name AnserverBot on September 19th. Dr. XuXian Jiang, Chief Scientist at NetQin’s US Security Research Center, offers a detailed report on how the malware works. – Editor

Update: NetQin Mobile reached out to SecurityWeek to let us know that they had previously identified the same malware under the name AnserverBot on September 19th. Dr. XuXian Jiang, Chief Scientist at NetQin’s US Security Research Center, offers a detailed report on how the malware works. – Editor

Researchers at Trend Micro have discovered a unique feature circulating in some Android-based malware. The malicious application is using a blog in China to act as a Command and Control (C&C) server.

Over the last year, rogue Android applications have made headlines, and stressed to consumers the need to stick with known Application repositories, such as the Android Marketplace. On Tuesday, Trend Micro discovered a malicious Android application out of China using a new trick to receive instructions.

“This, based on our research, is the first time Android malware implemented this kind of technique to communicate with its server,” commented Trend’s Karl Dominguez, a Threat Response Engineer.

Disguised as a eBook reader, the application requests nearly total control over the mobile device when installed, including access to the Web, network settings, the ability to edit, read, and receive SMS or MMS messages, read and write to contact lists, disable key locks, make calls, and more.

“From our analysis, we found that this malware has two hard-coded C&C Servers to which it connects to receive commands and deliver payloads. The first server is just like the usual remote site, where the malware posts and gets information and commands. The second C&C server, however, caught our attention. The second C&C server is a blog site with encrypted content,” Dominguez notes.

Advertisement. Scroll to continue reading.

Blog As Command and Control Server

The malware will connect to the C&C, which replies with a XML file containing the download URL to obtain updated code. Checking the development history on the blog shows that updates focused on creative messages that tricked users into allowing application updates. If the initial C&C contact fails, the malware will check the blog for a new URL, and continue the update process.

“The use of blog platforms in malware activities is not unheard of for malware affecting computers. In fact, early this year a botnet was found using Twitter for issuing commands to affected systems,” Dominguez noted. “If anything, this recent adaptation of mobile malware using this technique is another sign of its continued development and proliferation.”

Again, the easiest way to avoid problems with malicious applications is to avoid downloading generic knock-offs, and to stick to the known, trusted marketplaces.

Related Reading: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.