Understanding Android malware families: File infectious and potentially unwanted applications introduction
Understanding Android malware families: File infectious and potentially unwanted applications
introduction
File Infector is a malware that attaches itself to APK files, which contain all the data related to Android applications. File Infector gets installed along with the APK files, and is executed when the APK file is installed. An APK file can be any Android application such as a game, word processing file, location navigation or any other application. Recently, Google removed several apps from the Play Store because they were suspected of containing malware. Families infected with the file try to slow down the device and consume a lot of battery.
PUAs are potentially unwanted applications that come with genuine applications that are available for free. They are sometimes called potentially unwanted programs (PUPs). PUAs are not always destructive - it all depends on their use. PUAs are installed automatically when the application with which it is bundled is installed; They can take the form of adware, spyware or hijackers. When PUA behaves like popping up an advertisement, it is called adware. PUAs slow down the device by consuming memory. They can also lead to other PUP and spyware programs that aim to steal sensitive data from the target device and send it to the attacker.
According to a report published by Avira, there has been a two percent drop in Android PUA malware samples in the third quarter as compared to the second quarter of 2020. However, 29.3 percent of cyber attacks in the same quarter are due to filers. According to another report published by AVTest, 927,553 Android malware samples were detected as of the end of March 2021. Of these samples, 1.48 million samples are PUA. These news and statistics are shocking. Figure 1 shows the growth of PUA samples over the last five years based on the AVTest report. It is clear that the number of PUA Android malware samples is steadily increasing every year.
This article is the final article in the UAMF series that explains the major file infectivity and PUA families exposed Android malware families. It provides a deeper insight into the functions, activities and communication processes used by the popular File Infector and PUA malware families, based on our public dataset on Android malware named CCCS-CIC-AndMal-2020. This presents the essential indicators to understand that the smartphone is infected with File Infector and PUA malware. It also takes an in-depth look at the technical specifications that these families can look for on a smartphone. Finally, the article introduces some preventive measures to protect the device from File Infector and PUA malware families.
File Infector and PUA Family
Some common activities performed by file infected families include collecting device IDs, International Mobile Equipment Identity (IMEI) numbers and phone status. They can block, delete, or use the Phone application, and they can modify, collect, and access files and device settings. In the worst case, file infectors can root the device. Gudex and Tachi are the two main families that put the network country ISO under the File Infector malware category. Additionally, Tachi gets system properties to obtain the IP address of the WiFi device while Gudex digests the message and sends the text message.
PUAs collect personal information and user contacts from the device. They access device location via Global Positioning System (GPS), display pop-up advertisements/notifications/alerts, user violate URLs and shortcuts on the screen. Ampay executes database queries. Scamp opens URL connections and input files, starts new activities, and obtains the network country ISO. AppTrack opens input and output files and receives network operators. This article presents the five file infectors and eight PUA families analyzed for
behavior change upon execution
Based on the results from our Android dataset (CCCS-CIC-AndMal-2020), the behavioral changes in the File Infector malware families upon execution are shown in Figure 3. The left side of the figure represents the behavior corresponding to starting a device while the right side of the figure shows the behavior curve after restarting the device. Without going into the technical details of the x- and y-axis of the graph, it is clear that the four families plotted in Figure 3 follow a similar curve before and after restarting the device. This indicates that the behavior of these families remains the same upon starting and restarting the device. Simply put, restarting the device does not change the behavior displayed by file infected families.
The behavioral changes in PUA malware families upon execution are shown in Figure 4. Similar to Figure 3, the left side of the figure represents the behavior corresponding to starting the device, while the right side of the figure shows the behavior curve after restarting the device. .
Overall, there are two prominent spikes in the red and brown curves on the left and right sides of the figure. The red curve corresponds to the umpay family. It is clear that after restarting the device, the umpay family shows a change in behavior. This means that after rebooting the device on which it is installed, the behavior of umpay increases randomly. The second major change corresponds to the gray curve indicating that the randomness in behavior decreases after rebooting the device. This curve belongs to youmi family. For the rest of the family, there is no change in behavior before and after rebooting the device.
Types of PUA
PUAs can fall in the form of the following malware categories:
Adware: Adware represents advertising malware. It is a malicious application that throws unwanted advertisements on the user screen, especially when accessing web services. Adware attracts users to ads that entice them to click on the ad. Once a user clicks on the ad, revenue is generated by the developer of this unwanted application.
Browser Hijacker: Browser hijacking is a term associated with malicious software. It is used to display advertisements, visit malicious websites, and redirect the user to fraudulent websites that may download malware to the phone.
Spyware: Spyware is malicious software that is installed on a user's device to steal sensitive information. The data collected by spyware is passed on to advertisers, outside agencies or firms. This data is later used to carry out malicious activities.
How is PUA spread?
PUAs often get installed along with legitimate applications. This is not always harmful, but the user should still be aware of the malicious activities that he can do. PUA spreads through social engineering strategy. Legitimate apps trick users into installing additional apps. This is done in the following ways:
Tricking users to take unnecessary action.
Assigning additional permissions to apps.
Persuading users to install additional apps.
Installing additional apps by default.
Effect of PUA
PUAs can affect target devices in the following ways:
User Privacy: PUAs can sniff user activities and surfing habits. They collect sensitive information from the device and send it to a remote attacker.
Drain Resources: PUA drains mobile battery and uses up device memory by storing non-essential data.
Compromise security: PUA may expose sensitive information collected from the device to unintended applications and websites.
Technical Features that can Detect File Infector and PUA
Based on the results of our Android dataset (CCCS-CIC-AndMal-2020), the following technical features are very helpful for File Infector and PUA detection:
Memory Features: Memory features define the activities performed by malware using memory.
API Features: Application Programming Interface (API) features delineate the communication between two applications. Whenever a user searches for information in a browser, checks the weather forecast, sets a timer, or accesses social media, they are using the Android API in the background.
Network Features: Network features describe the data transmitted and received between other devices in the network. It indicates foreground and background network usage.
Logcat Features: The logcat utility writes log messages corresponding to the function performed by the malware.
symptoms of infection
The following points indicate that the device is infected by File Infector or PUA:
Frequent display of unwanted apps on the screen.
Battery drains very fast.
Low device memory.
Slow device speed.
Applications and services will crash more often.
The device is heated.
Unrecognized apps downloaded to the device without the user's consent.
Preventive measures to protect your device
Following are some important measures to protect your device:
Check the box already checked before downloading and installing any application. The pre-check boxes authorize the PUA for malicious activities.
Skim the terms and conditions before installing any app. It sounds bad but is necessary to protect the device. PUAs are referred to as their names in the terms and conditions agreement.
Scan the device with a good anti-virus or anti-malware to detect malware.
Do not download apps from third party stores.
Keep the device updated.
Manually check any unwanted apps installed on the device.
Phishing Emails and Messages
No comments