Akamai Diversity
Home > DNS > Ghosts Haunt Internet II: Android Malware

Ghosts Haunt Internet II: Android Malware

<p>Android fans were probably chuckling over the XcodeGhost malware news - hackers don't often penetrate Apple's defenses. This provoked the Nominum, now part of Akamai, Data Science team to take a look at what's happening with malware targeting Android. Common wisdom is Android is exposed because there's less rigor in the development and supply chain, and third-party app stores with no protections are popular. Determined hackers can allegedly subvert defenses and get various kinds of exploits placed on mobile devices running the highly popular operating system. But what does the data show?</p>

A quick check against some recently publicized exploits shows widespread malware infections on Android devices. BrainTest has been reported on by a few security firms. It's noteworthy because it actively evades detection mechanisms and avoids being uninstalled. Less clear is the actual damage it does, although researchers believe its developers have considerable latitude to download additional payloads and thus it can evolve and change. Below are a couple of charts that reflect activity for BrainTest Command & Control domains - a reasonable proxy for infections.

query-count-brain-test

unique-ips-querying-brain-test

Another exploit, GhostPush, tells a similar story. Various security reports suggest GhostPush has infected a variety of apps and is a real nuisance since it is very difficult to uninstall. It turns out GhostPush has different Command & Control functions (special commands remote malware uses to get instructions) for injecting malware, sending information, getting instructions etc.   The data below shows GhostPush DNS queries for injecting malware - which are representative of new infections. Compared The data set used to generate the graphs represents around 2% of worldwide ISP DNS traffic so quick math gives a rough estimate of overall infections:

20,000/0.02 = 1 Million infected IPs

This is in the range of other reports about the extent of infections.

query-count-ghost-push

unique-ips-querying-ghost-push

What's interesting about this data is the fact that the infection rate doesn't decline as it did with the recent XcodeGhost malware affecting iOS apps. Compared side by side when affected iOS apps were discovered and taken off the App Store there was a decline in infections - indicating infected apps were removed from the device.

android-unique-ips-querying-brain-test android-unique-ips-querying-ghost-push ios-unique-ips-querying-xcodeghost

In the case of Android this suggests either:

  • Infected apps are difficult to remove, which coincides with reports on GhostPush
  • Communications about infected apps are poor or non-existent so users are simply unaware
  • Users ignore warnings about infections

Mobile malware has been a topic of discussion for several years but hasn't represented much of a threat in the past, but perhaps that's changing. That's why Nominum, now part of Akamai, Data Science is creating an environment that keeps tabs on mobile malware. Observing mobile device infection trends and correlating with other data will provide a good gauge of what's happening - useful information as mobile is central to the Internet literally everywhere in the world.

Leave a comment