Android malware invasion – only time can tell

These days the debate about Android platform malware become more intense than ever. On one side the open source and public sector engineering manager at Google, Chris DiBona wrote an article at Google+ blog containing some incendiary sentences like:

No major cell phone has a ‘virus’ problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels.


Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.


If you read an analyst report about ‘viruses’ infecting ios, android or rim, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence. If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.

You can read the whole article here. This on one side. On the other side, almost all the major antivirus companies treated the Android malware as a real threat, have written articles about it and made the final step: they developed security solutions for Android devices. For example you can find on Android Market Webroot Anti-virus, Internet security & identity protection for Android™ smartphones & tablets, Dr.Web Anti-virus, Anti-Virus Pro from AVG ,  Kaspersky Mobile Security or Bitdefender Mobile Security. These antivirus vendors are all crooks? I doubt it.

A few weeks ago, Dr.Web security company wrote an article about an Android version of the well-known banking trojan SpyEye named Android.SpyEye.1, at Trend Micro website you can read an article about another Android malware, ANDROIDOS_FAKEBROWS.A which is a SMS premium services abuser. Even the QR codes are used to spread malware targeting the Android platform, see here, and according to GFI Labs Blog, rogue browsers will make a comeback on the mobile platform. Let’s mention another interesting Android trojan case, the so called Plankton which was found in the Official Android Market by Xuxian Jiang. Here is an excerpt from the original article:

This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar. In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality. Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers. Its stealthy design also explains why some earlier variants have been there for more than 2 months without being detected by current mobile anti-virus software.

However. Let’s assume that the Android platform is safe as DiBona said and Android Market is clean because Google is vigilant. So no one is threatened. Hmmm, wait, this is already the ideal world where everybody is supposed to do only what is supposed to do and Android devices to be ran only how they are supposed to be ran. But a significant percentage of users want to “hack” their devices, to root them or to install customized ROMs. “Rooting” their devices means they can run applications on Android devices with “superuser” rights endangering the whole system security. Also, a number of Android users try to install applications from untrusted sources, from the so called black market and now you can see why an infection of an Android device which runs in the above circumstances(rooted and running untrustworthy apps) is not only possible but more than probable. Well, these users need an mobile anti-virus to defend them by themselves. In the same time it can be true that Android users who are playing “nice” with their devices and do only the supposed things(install apps only from the official Android Market) do not need an anti-virus for their phone.

Is  not easy to distinguish a trend in Android malware evolution and that’s why the title: only time can tell.

Edit: I just have found some informations on the web, those are good subjects for meditation:

* Android < 2.3.6 PowerVR SGX Privilege Escalation Exploit
* Jon Larimer <>
* Jon Oberheide
* Information:
* CVE-2011-1352 is a kernel memory corruption vulnerability that can lead
* to privilege escalation. Any user with access to /dev/pvrsrvkm can use
* this bug to obtain root privileges on an affected device.
* CVE-2011-1350 allows leaking a portion of kernel memory to user mode
* processes. This vulnerability exists because of improper bounds checking
* when returning data to user mode from an ioctl system call.

These vulnerabilities are still under review by the CVE Editorial Board, I will look forward for conclusions.

A proof of concept article about a botnet based on Android devices and controlled via SMS was postedat (Edit: Now it seems to be deleted)

It’s a certain fact of these days that SMS trojans(trojans sending SMS messages to premium services, a fast way for hacker’s financial gains) are spreading fast around the world according to an article in Kaspersky blog written by Denis. He says in the article that new discovered SMS trojan, Trojan-SMS.AndroidOS.Foncy are targeting users from France, Belgium, Switzerland, Luxembourg, Germany, Spain, UK and Canada emptying their pockets. But probably these are part of the little things to which Chris DiBona is referring to.

The truth is the infected Android application containing the SMS trojan was downloaded from a warez site and not from Android official Market and that remember me: the humans are the weakest  link in security.

Be safe !

Posted in Thoughts.

Leave a Reply