Do or Die: Fighting back against constantly Evolving Google play Android Malware

Jagadeesh Chandraiah ,Threat Researcher , Sophos

Google play is the official application store for Android platform recommended by Google. This year we have already seen several headline grabbing Android malware with millions of infections [1]. In September alone, security researchers have discovered four different instances of Google play malware, besides several other instances of infections all year along with hundreds of millions of user installations. According to Google’s own stats [2], over 1600 malware applications also called as PHA infiltrated into Google play store. Google play malware have been evolving and will continue to evolve in future. It is important to verify these evolutions and update our defense systems.

Initially developed Google play malware were simple SMS senders, Ransomwares and Downloaders, and then they moved on to multi stage Downloaders like Ghost push and Android Clickers. Now, they are developing targeted attacks like Lipizzan, several banker bots built from leaked source code. We have also seen evolution in the techniques used by malware authors to infiltrate and succeed in infecting Google play user devices. Many interesting techniques are used, some of them are –

· Abuse of Accessibility service for installing malicious applications, legitimate use of this service is to assist disable users in using Android apps.
· Abuse of Android Webview interface to run malicious JavaScript code for stealing device information, loading malicious ads and sending premium messages, which is
· Abuse of permission to draw over other apps for fake overlays and steal credentials

In this presentation, we want to dissect recent Google play malware and investigate interesting techniques, like the one’s described above and then present remedial action how changes can be done to prevent these infections again.

Jagadeesh Chandraiah

Jagadeesh Chandraiah graduated from the Visweswaraiah Technological University in India. He also holds a Master’s degree from the University of South Wales, UK. He has been working at Sophos in the UK for over Eight years. He has been working on spam analysis, Windows and Mobile malware analysis. At present, he is concentrating mainly on Android malware analysis. Outside of work, Jagadeesh enjoys playing badminton.