Crooks Use Google’s Own Cloud To Control Android Malware

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Google’s cloud is abused as part of attackers’ command and control infrastructure

Cyber criminals are controlling Android malware using Google’s own cloud, helping them update bad apps to add fresh functionality without being blocked.

A host of typical Android malware is being updated via Google Cloud Messaging, a service that lets developers send data, such as advertising information, small messages and commands, to users of their applications.

As GCM is an official Google service, it is  impossible to block updates directly on an infected device, Kaspersky Lab warned. Developers have to get a unique ID from Google to use GCM, indicating Google is unwittingly granting them to cyber crooks.

Google cloudAbusing Google to control Android malware

The criminals use GCM to initiate updates, advertise other malicious programs or have infected devices send text messages. Effectively, the Google cloud is exploited to become part of the attackers’ command and control infrastructure.

Fakelnst.a Trojan, one of the most prevalent Android threats that sends text messages to premium numbers and can delete incoming text messages, is registered with GCM. That particular malware is prevalent in Russia, and Kaspersky said it had detected over 4.8 million Fakelnst.a installers to date.

The Agent.ao malware, which is prevalent in the UK, used GCM to retrieve updates and create notifications with information or advertising content.

Many of the bad applications are pornography sites, and none are on the official Google Play market. Users are advised to only download apps from trusted sources.

“The execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device,” said Kaspersky Lab expert Roman Unuchek, in a blog post.

“The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.”

What do you know about Internet security? Find out with our quiz!