{"id":77006,"date":"2013-10-17T17:36:59","date_gmt":"2013-10-17T12:06:59","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=77006"},"modified":"2013-10-17T17:36:59","modified_gmt":"2013-10-17T12:06:59","slug":"top-20-android-malware-how-they-work","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/top-20-android-malware-how-they-work\/","title":{"rendered":"The Top 20 Android Malware &#8211; How they work"},"content":{"rendered":"<p style=\"text-align: left;\">In our earlier <a href=\"https:\/\/blogs.quickheal.com\/the-top-20-android-malware-quick-heal-mobile-threat-report\/\" target=\"_blank\">blog post<\/a>, we talked about the top 20 malware plaguing the Android platform. In this post, we will give you an insight into how each of these malware function once they gain entry into targeted devices.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2013\/10\/top_android_malware.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-77027 aligncenter\" alt=\"top_android_malware\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2013\/10\/top_android_malware.png\" width=\"250\" height=\"250\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><strong>The Top 20 Android Malware<\/strong><\/p>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">1. Android.FakeRun.A<\/span><\/p>\n<p>\u2022 Android.FakeRun.A is designed to display ads on the infected device, to earn money for the malware author.<br \/>\n\u2022 The ad urges the user to give it a 5 star rating and increase its popularity.<br \/>\n\u2022 The Trojan also prompts the user to share information about the app on their Facebook accounts, even before it starts.<br \/>\n\u2022 This Trojan is mostly relevant in the US.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">2. Android.NickySpy.A<\/span><\/p>\n<p>\u2022 Android.NickySpy.A steals information from the infected device and sends it to an external server.<br \/>\n\u2022 Once installed, it hides itself; it gets installed as \u201cAndroid System Message\u201d<br \/>\nThe malware:<\/p>\n<ul>\n<li>Records the victim\u2019s telephone calls.<\/li>\n<li>Keeps track of the location.<\/li>\n<li>Sends SMSs to premium-rate numbers.<\/li>\n<\/ul>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">3. Android GingerMaster<\/span><\/p>\n<p>\u2022 Android GingerMaster typically comes with fake versions of popular games.<br \/>\n\u2022 Once installed, the application gains admin rights.<br \/>\n\u2022 It sends confidential data to external servers.<br \/>\n\u2022 The malware can also download additional applications in the background without the user\u2019s knowledge.<br \/>\n\u2022 It can give remote access of the device to the hacker.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">4. Android.Nyearleaker.B<\/span><\/p>\n<p>\u2022 Android.Nyearleaker.B comes in the form a live wallpaper application that steals information.<br \/>\n\u2022 Once installed, the malware performs the following functions:<\/p>\n<ul>\n<li>Fetches information about the device\u2019s WiFi connectivity.<\/li>\n<li>Checks for running applications in the device.<\/li>\n<li>Collects country code, Google account email address, and Android ID.<\/li>\n<\/ul>\n<p>\u2022 It sends the stolen data to its own server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">5. Android.Ewalls.B<\/span><\/p>\n<p>\u2022 Android.Ewalls.B comes as a wallpaper application, and steals information of the infected device.<br \/>\n\u2022 The malware steals the following information, once the user installs it in their phone:<\/p>\n<ul>\n<li>SIM details<\/li>\n<li>Operator name<\/li>\n<li>Device\u2019s serial number (IMEI &#8211;<em> International Mobile Station Equipment Identity<\/em>)<\/li>\n<li>Model and build detail<\/li>\n<\/ul>\n<p>\u2022 It sends the collected data to a live server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">6. Android.Obad.A<\/span><\/p>\n<p>\u2022 <a href=\"https:\/\/blogs.quickheal.com\/they-come-they-hide-and-they-mess-up-android-obad-and-android-fakedefender\/\" target=\"_blank\">Android.Obad.A<\/a> is a sophisticated Android malware that gains admin privileges.<br \/>\n\u2022 Once it gains admin rights, it cannot be deleted manually.<br \/>\n\u2022 It opens a backdoor in the infected device, downloads files and steals information.<br \/>\n\u2022 The malware also sends SMSs to premium-rate numbers, and can allow the hacker to gain complete control of the device.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">7. Android.Iconosis.A<\/span><\/p>\n<p>\u2022 Android.Iconosis.A steals information from infected Android devices.<br \/>\n\u2022 Once installed, the malware collects the phone number of the compromised device.<br \/>\n\u2022 Every time it is executed, it sends an SMS to the number.<br \/>\n\u2022 It also collects the IMEI number of the device, and sends the data to an external server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">8. Android.Aplog.A<\/span><\/p>\n<p>\u2022 Android.Aplog.A is usually detected as a fake version of legitimate games; Temple Run is one of them.<br \/>\n\u2022 Once installed, the malware keeps track of the infected phone\u2019s WiFi.<br \/>\n\u2022 The malware gathers information about the installation and uninstallation of applications in the device.<br \/>\n\u2022 Later it sends all such information to an external server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">9. Android.FakeInst.AI<\/span><\/p>\n<p>\u2022 Android.FakeInst.AI can allow hackers to manipulate SMSs in the compromised Android device.<br \/>\n\u2022 It can be used to manipulate user location and gain access to private information.<br \/>\n\u2022 The malware can send manipulated SMSs to premium-rate numbers.<br \/>\n\u2022 The malware can read the phone state of the user.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">10. Android.Fakebrows.A2aab<\/span><\/p>\n<p>\u2022 Android.Fakebrows.A2aab disguises itself as a legitimate app.<br \/>\n\u2022 It asks the user for a phone number when it runs for the first time, and stores the number in a text file.<br \/>\n\u2022 Every time it gets executed, it checks for the stored number. If the number is present, then it runs the phone\u2019s default browser.<br \/>\n\u2022 It monitors incoming SMSs to the compromised device, and forwards the same to the number that was set when it was run for the first time.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">11. Exploit.Lotoor.Af<\/span><\/p>\n<p>\u2022 Exploit.Lotoor.Af is an exploit design to gain root privileges on Android devices.<br \/>\n\u2022 Once installed, the exploit can gain complete privilege to perform any activity on the compromised device.<br \/>\n\u2022 This exploit has a shell script, and this helps it in gaining admin rights.<br \/>\n\u2022 The exploit will work only when the device has an SD card mounted on it. If not, it simply refuses to run.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">12. Android.Fakelook.A5046<\/span><\/p>\n<p>\u2022 Android.Fakelook.A5046 is a back door that hides itself from the Application List.<br \/>\n\u2022 Once executed, this Android malware collects the following information:<\/p>\n<ul>\n<li>Identity of the compromised device<\/li>\n<li>SMSs<\/li>\n<li>Files list from the SD card on the device<\/li>\n<\/ul>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">13. Android.Badao.A<\/span><\/p>\n<p>\u2022 Android.Badao.A sends a text message to a particular number, after it is installed.<br \/>\n\u2022 After its first launch, the application icon automatically disappears.<br \/>\n\u2022 Whenever the victim\u2019s phone receives any new SMS, it is hidden or removed from the compromised device, and the original message is sent to the attacker\u2019s server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">14. Android.Fakeapp<\/span><\/p>\n<p>\u2022 Android.Fakeapp displays ads by downloading configuration files without the user\u2019s knowledge.<br \/>\n\u2022 It collects the compromised device\u2019s IMEI number and phone number.<br \/>\n\u2022 It sends the stolen information to an external server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">15. Exploit.Zergrush.C48<\/span><\/p>\n<p>\u2022 Exploit.Zergrush.C48 attacks any vulnerability present in the targeted Android device, to gain root privileges.<br \/>\n\u2022 This type of application sets the property \u201cro.kernal.qemu\u201d to 1 which makes the infected device run like an emulator.<br \/>\n\u2022 This category of application copies itself to \/data\/local\/tmp\/boomsh and change its privilege.<br \/>\n\u2022 It copies shell from \u201c\/system\/bin\/sh\u201d to \u201c\/data\/local\/tmp\/sh\u201d.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">16. Android.Downsms.A<\/span><\/p>\n<p>\u2022 Android.Downsms.A is a Trojan horse that sends SMSs to premium-rate numbers, and even removes sent messages.<br \/>\n\u2022 It can write to external storage.<br \/>\n\u2022 The malware can open network socket.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">17. Android.MketPay.A<\/span><\/p>\n<p>\u2022 Android.MketPay.A is usually found repacked in legitimate applications available in many Chinese markets.<br \/>\n\u2022 The malware performs the following functions:<\/p>\n<ul>\n<li>Sends SMSs.<\/li>\n<li>Collects IMEI number and phone number of the compromised Android phone.<\/li>\n<li>Automatically places orders for buying apps without the user\u2019s consent.<\/li>\n<li>Intercepts, blocks, and deletes incoming SMSs.<\/li>\n<\/ul>\n<p>\u2022 Sends the stolen information to a remote server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">18. Android.Tatus.A<\/span><\/p>\n<p>\u2022 Android.Tatus.A, once installed, keeps a track of SMSs received by the infected device.<br \/>\n\u2022 It keeps a record of applications installed in the device, and sends this data to a remote server.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #faffef; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">19. Android.Opfake.E<\/span><\/p>\n<p>\u2022 Android.Opfake.E is a Trojan horse that comes bundled with a legitimate version of the Opera mobile browser.<br \/>\n\u2022 The malware collects data such as IMEI number, operator name, phone type, OS version, and country location.<br \/>\n\u2022 It sends SMSs to premium-rate numbers without the victim\u2019s knowledge.<br \/>\n\u2022 The malware connects to a command-and-control server to receive instructions.<\/p>\n<\/div>\n<div style=\"border: solid 1px #D1D1C2; background: #FAFFFF; padding: 8px; border-radius: 8px 8px 8px 8px; box-shadow: 1px 3px 5px -2px #85855C; margin-bottom: 10px;\">\n<p><span style=\"font-weight: bold; font-size: 1em; color: #006660;\">20. Android.Ksapp.C<\/span><\/p>\n<p>\u2022 Android.Ksapp.C is repackaged from a legitimate application. This application contains configuration file.<br \/>\n\u2022 It steals sensitive information and sends the gathered information to a remote server.<br \/>\n\u2022 The malware also downloads apk files.<\/p>\n<\/div>\n<p>As mobile technology grows by leaps and bounds, cyber criminals strive to find flaws in it. And they use these flaws to hit the unsuspecting and innocent. So, instead of learning this the hard way, we always have a better option &#8211; staying updated about IT security, and employing <a href=\"https:\/\/www.quickheal.co.in\/quick-heal-total-security-for-android\" target=\"_blank\">mobile security solutions<\/a> that do what they promise.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Blog Post Acknowledgement: Quick Heal Threat Research and Response Team.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In our earlier blog post, we talked about the top 20 malware plaguing the Android platform. In this post, we will give you an insight into how each of these malware function once they gain entry into targeted devices. The Top 20 Android Malware 1. Android.FakeRun.A \u2022 Android.FakeRun.A is designed to display ads on the [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,24,354],"tags":[380,674,675,676,677,678,679],"class_list":["post-77006","post","type-post","status-publish","format-standard","hentry","category-android","category-malware","category-mobile-security-2","tag-android-malware","tag-google-apps","tag-malware-families","tag-quick-heal-mobile-security","tag-sms-trojan","tag-threat-report","tag-top-android-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/77006"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=77006"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/77006\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=77006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=77006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=77006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}