Hackers control Android trojan through blog posts

SECURITY RESEARCHERS at antivirus vendor Trend Micro have identified an Android trojan whose creators are using blog posts as a redundancy and update mechanism.

The trojan, which the security company named "ANDROIDS_ANSERVER.A", poses as an e-book reader application and is mainly distributed through Chinese app stores.

Unofficial app stores are very popular in China, because smartphone owners from that part of the world don't have access to Google's Android Market yet.

However, past examples have shown that Chinese Android malware can quickly spread to western markets and even make their way onto Google's app distribution library.

Unlike other Android trojans, ANSERVER.A doesn't exploit a vulnerability to obtain root access and install itself. Instead it relies on social engineering to infect handsets.

Upon installation the malware asks for extensive permissions, such as the ability to make calls, access the internet, restart apps, write, read, receive and send SMS messages, read and write contact details and more.

These are not permissions that a regular e-book application would need to function properly and for experienced users should serve as a dead giveaway that something is shady.

By far the most interesting aspect of this trojan is its command and control infrastructure. Trend Micro's researchers discovered that the malware connects to a regular server to upload data and receive commands, but also to a blog containing encrypted posts and binary files.

After they managed to decrypt the content, the company's analysts realized that the mysterious blog posts define backup command and control URLs for use in case the hardcoded one goes down.

The presence of the binaries, which proved to be different versions of the trojan, suggests that ANSERVER.A is a work in progress. So far it was updated with functionality to display fake update dialogs and terminate four mobile security applications.

"Based on our research, [it] is the first time Android malware implemented this kind of technique to communicate," the researchers said. However, the use of blogs and social media web sites for malware control is not new. For example, there are known cases of trojan creators using Twitter to control botnets.

As security experts predicted, the Android malware ecosystem is growing rapidly and things are only expected to get worse. "2011 was definitely the year that mobile malware came of age and it should be driving an increase in awareness of the threat among end-users," Rik Ferguson, Trend Micro's director of security research and communication for EMEA told The INQUIRER.

"Smartphone security, such as encryption and anti-malware, is available but not widely deployed. The need is already there for it to be commonplace," he added. µ