A Researcher at Kaspersky Lab published an article about the malicious Andoird Apps using Google Cloud Platform Messaging Service and leverage it as CnC (Control & Command Server) to carry out attacks.
Kaspersky Researchers found 1,000,000 different OpFake installers disguised mostly games. The app sends several commands from both the GCM and its own C&C, including the following:
- Texting messages to a specified number
- Sending text messages ( with a link to itself or a different threat) to a specific number from contact list
- Performing updates without user concent
- Stealing text messages
- Deleting incoming text messages that meet the criteria set by the C&C
- Theft of contacts
- Replacing the C&C or GCM numbers
As per Threatpost article:
The first, AndroidOS.FakeInst.a, is one of the more prevalent with more than 4,800,000 installers across 130 countries, primarily Russia and the Ukraine. According to Unuchek, the Trojan can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other, fake malicious programs.
The second, AndroidOS.Agent.ao is being peddled as a pornography app and while with only 300 installers, is substantially less popular than FakeInst., can still can use GCM to send text messages and issue notifications. Also found in Switzerland, Iran, Kenya and South Africa, Agent remains most popular in the UK, where “90% of all attempted infections were detected.”
Malware statistics presented by Kaspersky Lab showed that its products detected and neutralized a total of 983,051,408 threats in the second quarter of 2013; 577,159, 385 infections were prevented from infecting users’ while accessing the internet; 400,604,327 malicious programmers were prevented from infecting users’ machines; and 29,695 new malware modifications were added to Kaspersky Lab’s detection system in the second quarter of 2013.
