September 6, 2021
Android is a very popular mobile operating system, running on around 50 percent of all mobile devices globally and around 40 percent in North America. The operating system has several security challenges coming from Android malware, a lack of unified security standards, and overall market fragmentation (i.e. even the most popular Android devices do not have more than 3 percent of the Android market). This means that there are quite a few security issues to think about when working with Android devices, especially when we take poor kernel update and security patching practices of some manufacturers.
There is no clear single ‘worst’ malware threat to Android devices. While our data does show that the largest security threats to mobile devices come from browsing activities, there are countless other things we should consider.
A Non-exhaustive List of Android Malware Categories
Going through each malware type is beyond the scope of this page, but we will eventually publish overviews for most of these threats to Android devices and link to their respective analyses from here.
- Phone cloners
- Malicious APKs launching DoS attacks
- Legitimate-looking APKs with backdoors, impersonating well-known apps
- Malicious APK Spam
- Banking trojans
- Malicious Headless Android packages
Sources of Infection for Mobile Devices
Malware has many ways to infect mobile devices. Our internal research data shows that several key sources are responsible for the majority of Android infections:
- Web ads, malvertising
- Third-party app stores
- Wi-Fi networks responsible for MitM and SSL injection
- Targeted APT attacks, espionage
- Malicious APKs in Play Store
CUJO AI On The Move greatly mitigates several of these threat categories outright by preventing devices from accessing malicious websites, falling victim to man-in-the-middle attacks, malicious advertising, among other threats. On The Move uses AI models to identify, classify and quickly prevent these sources from spreading malware to Android devices.
Protecting Android OS Devices
Trusted antivirus software and good personal device security practices keep Android devices safer, yet these might not always prove impenetrable for malicious actors. We always recommend combining timely update practices with frequent encrypted backups of any information you might find useful or important. Do not forget to audit app permissions for file system access and online connectivity on your device. If you are a power-user, monitor your device’s traffic whenever you start using a new application and after any updates for a more in-depth view of what it’s doing.
The Future for Android Malware
There are some key threat types that are likely to continue growing in the near future. Ransomware is perhaps the best-known type of malware today, yet this does not necessarily mean that Android devices will be encrypted and ransomed themselves. It is more likely that smartphones might be used as infection vectors for other systems. This is especially alarming when we consider how low the adoption of antivirus software is on Android devices, as well as how many networks these devices connect to throughout a given period of time.
Threats we expect to grow:
- Texting, calling premium phone numbers
- Bankers, stealing credit card information or mobile banking credentials
- Stealing sensitive data, such as phone conversations, messages
- Abuse of in-app payments
- Targeted, APT-attacks against journalists
Android Vulnerabilities Outside Protected Networks
Infected Android devices that are connected to secured networks might be at a lower risk, as known malicious servers and services would be blocked by CUJO AI’s countermeasures. Nevertheless, when these devices leave the protected environment, they can get injected ads, be abused as proxies, their traffic get stolen, the entire file system scanned and accessed, etc.
Android malware can do the following:
- A malicious app can abuse the Device Administrator API, that is intended for MDM.
- Ad framework injection, where ads in other applications are replaced with malicious ones.
- Accessibility Administrator API abuse, where malware can tap into the screen reader, screen tapper functionality, intended for people with disabilities. The malware can tap itself into Android Device Administrator via this API.
- Root access abuse, where attackers can get any permissions, see the entire file system, and access the device and accessibility administrator APIs.
- Analysis detection tricks, e.g., an application that does not do anything itself, but downloads another APK.
- Ransomware and extortion techniques.
- Steal sensitive data via:
- GET_TASK + accessibility or the SYSTEM_ALERT permission techniques.
- Abuse other, less well-known APIs.
Mobile devices are a crucial weak point in network security, as they can get infected on other networks. Protecting Android devices outside of secured home and business networks is a crucial part of the cybersecurity puzzle. On The Move greatly expands the ways in which these devices can be protected and allows users to not only avoid known malware, but also prevents phishing attempts and mobile browsing threats.
My special thanks to Vytenis and Simona for giving a helping hand with publishing this article.