PRAGUE – Virus Bulletin 2015 – A senior software engineer at Google detailed on Thursday the steps taken by the Internet giant to disrupt a bank phishing campaign targeting Android users in Russia.
The increasing popularity of the Android operating system has made it a tempting target for many cybercriminals. They have been using not only third-party app stores, but also the official Google Play service to infect a large number of mobile devices with various types of malware.
Google recently admitted that the Android ecosystem has a malware problem and the company has started taking steps to protect its customers, including monthly vulnerability patch cycles for the operating system and new mechanisms that work behind the scenes to keep potentially harmful applications (PHAs) away from smartphones.
After a long period in which security firms reported considerable increases in the number of malware infections on Android devices, Google reported in April 2015 that the overall worldwide rate of PHA installs decreased by nearly 50 percent between the first and fourth quarter of 2014. The company now says the number of infected devices has dropped even more in the first half of this year.
One of the systems used by Google for keeping malware out of the Android ecosystem is the Google Play service, which conducts security scans on 200 million devices each day. There are also some technologies that run on users’ devices, such as Safety Net, which detects and mitigates network attacks and other threats that are not related to apps, and Verify Apps, a system designed to warn users when they are about to install PHAs and which scans installed apps for such threats.
In a presentation at the Virus Bulletin conference in Prague, Sebastian Porst, senior software engineer at Google, revealed that the company’s Android Security Team set up an internal task force in January 2015 and used these systems to track and disrupt a bank phishing campaign targeted at users in Russia.
According to Porst, the phishing campaign, which targeted customers of Google and the Russian bank Sberbank, had been publicly described by several security vendors. The threat, which Google had been monitoring since 2013, was distributed through social engineering techniques (e.g. as a fake Flash Player installer). Despite monitoring this threat for years, Google had initially not taken action because it was not a widespread issue, Porst said during his talk.
For this campaign, Google actually tracked six PHA families and the downloaders used to distribute them, the expert noted.
Once the malware was installed on a smartphone, it monitored the apps accessed by the victim and when it detected the Sberbank or Google Play apps being used it displayed phishing windows on top of the legitimate application in an effort to trick the user into handing over sensitive information. The malware, designed to work with both web-based and SMS-based command and control (C&C) servers, achieved persistence by abusing device administrator permissions.
The first phase of Google’s clean-up operation took place between March 12 and March 29. During this phase, the company started scanning devices more frequently, increasing the number from one scan per week to one scan per day. After each scan, users were warned about the presence of the malicious app, which led to a drop in the number of installs, but it was not as significant as the company expected.
After the first phase ended, Google noticed that only a small percentage of users decided to disable the Verify App feature due to the increased number of warnings they were presented with each day.
In the second phase, which took place between March 30 and June 10, Google took more aggressive action, including automatically blocking the installation of the targeted PHA families.
The Internet giant also started automatically removing the offending apps from infected devices. The problem was that since the malicious apps abused administrator permissions and they intercepted removal attempts, it was not easy to remotely clean up the infection via Verify Apps.
To achieve this goal, Google used the Intent Firewall, a component of the Android framework which allows for the enforcement of intents. By using the Intent Firewall, which it had not leveraged previously for such purposes, Google managed to block broadcasts from device administrator apps and remove the PHAs.
Once it started disrupting the threat’s distribution network, Google noticed a significant drop in installation attempts and an 80 percent decrease in the number of devices affected by the targeted malware families.
For those wondering, Porst said Google’s legal team confirmed that the remote removal of the malicious apps was in compliance with terms of service.
Following the disruption of this phishing campaign, Google determined that the device administrator is “too powerful,” which led to the company taking some steps to prevent future abuse. With the release of Android 6.0 Marshmallow, Google is trying to prevent apps from displaying alert windows without explicit user consent, and designed runtime permissions so that SMS-based C&C servers are difficult to use, Porst said.
Google has also made some improvements to Safety Net in an effort to make remote clean-ups easier to perform. The company is also now conducting daily scans for at-risk locales and it’s blocking users from installing PHAs in at-risk locales.
Porst noted in the “lessons learned” part of his presentation that cleaning up after the bad guys is a full time job that requires a dedicated team, but the expert noted that at least in this case the malicious actors could not adapt fast enough to escape the clean-up efforts.
Google is currently working on a second malware removal campaign. In the meantime, the company is leveraging its Safe Browsing system in an attempt to protect Android users against malicious elements served on third-party websites. However, this initiative is currently not used on a large scale.
