Android Mobile Malware Found In The Wild

A couple of weeks ago, SophosLabs Insights posted an advisory about mobile malware detections increasing, and they still are.

While attending an innocent birthday party for a 4-year-old, a friend (we will call Agent P to protect her identity) was showing me something on her 6-month-old Samsung Galaxy S II.

After we watching a video, I asked Agent P if she has any antivirus software on her Galaxy S II. For a moment Agent P thought about it, and she responded that she does, but couldn't recall which one.

We then proceeded to install a brand of free mobile antivirus software I use. As the scan started, right away not-so-innocent mobile malware was detected! That was fast!

Agent P was surprised that her smartphone was harboring mobile malware when she believed that there was antivirus software already installed. Perhaps it wasn't up to date? We didn't investigate.

This family of mobile malware detected by SophosLabs is called Andr/NewYearL-B (also known as CounterClank). Some labs don't consider this to be malware as much as a Potentially Unwanted Application (PUA), as you will read about shortly. We found Andr/NewYearkL-B hiding in an Android app called Brightest Flashlight Free version 2.3.3.

In an effort to understand how the malware got there, when asked about which markets Agent P get her apps from, she responded with, "Google." I asked her if she goes to other markets for apps, and Agent P made it clear that she only downloads apps from Google Play -- which is the proper thing to do.

We looked at the permissions accessible by the Brightest Flashlight Free, and this is what we found:

Storage

System Tools

Your Location

Hardware controls

Other

Development tools

Phone calls

Network communication

Perhaps it's my ignorance, but would anything related to storage, system tools, your location, camera, development tools, phone calls, and network communication be ridiculously more accessible to the smartphone capabilities than what a flashlight app would require?

The brightest moment of our day was uninstalling the infected version of Brightest Flashlight Free. We hoped that not too much of Agent P's personal information was siphoned back to the cybercriminals. She does understand there is a high probability of data loss since the app had enough time to do its dirty deeds. Fortunately, this is a personal device without any company confidential or ePHI data.

Considering the reputation of the app, it has a very high rating in the Google Play store, which is a very good gauge to measure the user satisfaction and cleanliness of an app. After a couple of minutes of reading negative reviews, I found that while these reviews don't use terms, such as malware or virus, they describe malware behavior.

"No reason that this app should constantly run in the background when not in use."

"It always freezes my phone. I always have to restart it."

"Ok app, but why all the invasive permissions. .. Take pictures? Location? UNINSTALLED"

"Began scanning my phone without permission and offering security fixes when I used the light. !"

Our advice is don't let down your guard; only download from Google Play, check the reviews, don't root your Android, and get protection proactively before the lesson learned by Agent P.

Mobile malware is real, and it can even be found at a 4-year-old's birthday party. But it can be controlled.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg