Google Cloud Messaging Hacked. Delivers Malware to Android users and Data Theft

[Ink]

RT: Google messaging service hacked, sends malware to Android users – Kaspersky

Russia’s Kaspersky Lab has found a backdoor in Google Cloud Messaging service (GCM) used by hackers to steal Android users’ data and force them to send paid messages. The scheme is only stoppable by Google, as it relies on stolen IDs of GCM developers.

The Russian computer security firm on Tuesday said it had notified Google of a security breach in its service, which enabled the hackers to register Trojan and Backdoor malware in the network of the internet giant.

“Such tactics rule out the possibility to block access to master server directly on the infected phone,” the Kaspersky team warned in a statement on its website.

Thus, if an Android user is lured into installing some applications containing the malware, he is doomed to have his money or private data stolen – unless Google intervenes.

 

[Jack]

Malware Makers Using Google GCM as a C&C Server to Android Trojans

Google Cloud Messaging (GCM) is a service provided by Google to its Android app developers. It allows the developer to send messages in JSON format to all installed apps – but it has been hijacked for bad purposes.

JSON, javascript object notation, is a text-based standard for data interchange. “These messages,” warns Roman Unuchek of Kaspersky Lab, “may contain any structured data, such as links, advertising information, or commands.” GCM using JSON is a service properly used to discover the coordinates of stolen telephones, and send out messages about the release of new game levels, new products, and more. But, says, Unuchek, “it would be surprising if virus writers did not attempt to take advantage of the opportunities presented by this service.”

And indeed they have. Kaspersky Lab has now published details on five separate Android trojans that use this process: SMS.AndroidOS.FakeInst.a, SMS.AndroidOS.Agent.ao, SMS.AndroidOS.OpFake.a, Backdoor.AndroidOS.Maxit.a, and SMS.AndroidOS.Agent.az.

The first is is one of the most widespread threats targeting Android. Kaspersky has detected over 4,800,000 installers, and blocked 160,000 attempted installations in the last year. “It can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other malicious programs that are spread under the guise of useful applications or games.”

The second is disguised as a porn app, with the primary purpose of sending messages to premium numbers. The third is described by Kaspersky as “a classic example of an SMS Trojan,” with more than 1 million detected installers. Apart from the usual premium messages it is also able to steal contacts and perform self-updates. It has been found in 97 different countries, but predominantly in Russia and surrounding countries, where Kaspersky has blocked more than 60,000 attempted installs. A further 1000 have been blocked in Italy and Germany.

Read more: http://www.infosecurity-magazine.com/view/33983/malware-makers-using-google-gcm-as-a-cc-server-to-android-trojans/