Android malware under blog control says Trend Micro
Trend Micro is reporting a Chinese Android malware that operates partly under the command and control of a blog.
The ANDROIDOS_ANSERVERBOT.A malware is disguised as an e-book reader offered on a third-party Chinese app store. It uses two command and control servers, one of them served out of a blog with encrypted posts. Posts to the blog identify the URL of the primary CC server.
This presumably gives the malware’s makers a handy way to move their CC server around to avoid detection. The blog also hosts new copies of ANDROIDOS_ANASERVERBOT.A which are downloaded when the software connects (see Trend Micro’s flowchart for the process).
The security company also notes that upon installation, the supposed e-book reader asks for an unreasonable number of permissions – should the user be foolish enough to allow installation after reading the permission requests, the malware can access network settings and the Internet, control a device’s vibration alert, disable key locks, make calls, read low-level logfiles, read and write contact details, restart apps, wake the device, and use SMS.
Targeted at Chinese users, the app also disables security software from Qihoo360 and Tencent, among others.
Android security has been increasingly under a cloud, with HTC scrambling for a fix after turning its phones into data-spewing monsters; a banking Trojan designed to intercept security texts; a security researcher discovering a dozen malicious apps on the official Android market; and earlier this month, Google was criticized as ignoring a bug that allowed malware to be installed without warning.
Trend Micro’s post is here. ®