Detecting and Removing Android Malware

Android Malware

A friend reached out recently asking for some advice as to how to determine if her Android device had been infected. Apparently, she’d fallen prey to a Facebook Messenger attack and clicked on a dirty link, now her phone was doing some weird things. So after walking her through the process, I figured it might be worth sharing with others. Also, I have been too busy to write much so it’s a chance for me to turn the notes into a post- 2 birds and all that!

NOTE: If you rooted your device, you should be able to fix it. These steps still apply, in some capacity, but rooting the device opens up a whole other can of worms from a security aspect. 

CAVEAT: Before we go on, we should level-set our understanding to one sad but simple fact. Modern malware is nasty. Software isn’t made well in many cases and it is entirely too easy for a skilled bad guy to outsmart the good guys. If your device is infected, I highly recommend backing up your data to salvage what you can and do a factory reset on the device. We can take our chances with disinfecting, but a reset is always the safest bet if you can afford it.

Indicators of Compromise

While none of these are issues in and of themselves, technology is messy and sometimes things happen. But if you experience these symptoms regularly, it’s increasingly likely that there is an issue.

Decreased Performance

Different behavior from a device is the first indicator that something may be afoot. Unfortunately, that doesn’t mean just being slow because that is an inherent trait of the Android platform. Much like your laptop or desktop, these devices need maintenance in order to run properly. You may just need to do some housekeeping. We’ll look more at removing malware and doing general housekeeping later on in the post, but let’s look at some signs of infection.

Bad Battery Life

Another IoC is when batteries mysteriously drain quicker than usual. Users generally have a good idea of how long their battery should last. Sudden, increased battery usage is likely due to something suspicious. Continuously displaying aggressive ads, for example, can impact battery life significantly. Malware may hide in plain sight by pretending to be a regular application or try to stay hidden from the user, abnormal battery drainage can indicate the presence of an Android infection.

Can You Hear Me Now?

Disruptions during a conversation or dropped calls are another indication of a possible infection. While this can also be the fault of your carrier, malware could be the culprit. Call your service provider to determine if there are any service issues with the network in your area. It’s important to determine if this is the fault of the carrier, or if something more worrisome is going on.

Mo Money, Mo Problems

Android malware can steal data from your device, send text messages to premium numbers, and even make phone calls from a compromised device. This malware  may send an SMS message irregularly to fly under the radar, or may self-destruct after making substantial charges, uninstalling from the device without a trace. Consider setting up usage quotas to help identify anomalies here. Finally, check your phone bill often to determine if anything nefarious is going on.

Housekeeping

If you’re still reading, I’ll presume that you’ve determined, using the Indicators of Compromise above, that your device is compromised. The next step is to start cleaning up the mess. Following these steps can help get things back to normal.

Out with the Bad

The very first thing you want to do, in the event of an infection, is to uninstall anything you no longer need or use. Going through your application manager allows you to identify, and remove, any apps that might be causing problem. It’s also important to look at things you didn’t install as Android malware has been known to act as a “trojan dropper” which simply assists in getting more devious malware onto a compromised device. A good rule of thumb is that if you haven’t used the application in the last 3 months, it can probably go.

Scan for Threats

The next step is to scan the device using some security software. I’ll talk more about general antivirus solutions for android later, but I highly recommend Malwarebyte’s AntiMalware for this task. While nothing is perfect, MBAM is a good starting point for disinfecting an infected device.

Clean the Crap

By this point, we have established at least a little faith in the device. Next it’s important to delete the remnants of unwanted data and free up as much space as we can. Crap Cleaner, or CCleaner, from Pirform Software has long since been a solid housekeeping solution for laptops and desktops for some time. I was elated when they released a mobile version! CCleaner is able to clean cached data, downloaded files, and even gets rid of the old APK files that have been left over after installing apps. Use this handy app regularly to free up space and keep your device running smoothly.

Install Antivirus

Antivirus has served a valuable place in computing for decades and that’s not likely to change anytime soon. If you’re using a device that’s connected to the internet, you should be using some form of antivirus. This goes for your mobile device(s) just as for a laptop or desktop or anything else. There are many solutions out there and I have no intention of opening this can of worms right now. Consider researching the options and determining which is best for you. It’s never a bad idea to test several options but remember, test only one antivirus solution at a time as multiple installations could create conflicts and actually decrease the efficacy of the software. Here is a link to some content by sources I respect. Take some time to do your homework and pick the solution that’s best for you.

Stay Vigilant

These devices have become increasingly important in our day-to-day lives, and they contain more and more sensitive data as a result. Because of this dependence, we have to protect these devices in order to protect our data. While there is no “silver bullet”, and anything can be hacked, these steps can at least make you a harder target.

Default Settings

Am I actually advocating for leaving default settings in place? Yes, I am. Android devices come shipped with several security controls in place which work to prevent compromise in the event of dangerous situations. Leaving these settings in place can help to prevent attacks such as a trojan dropper. Another good default setting to mention here is that of keeping the USB Debugging feature turned OFF. Turning USB Debugging on could allow unauthorized users to gain access to sensitive data on the device without permission.

Shop Responsibly

The Google Play Store is the only source you should trust for installing applications on your Android device. Let me say that again. The Google Play Store is the only source you should trust for installing applications on your Android device.  Google Protect provides several layers of security around the apps that make it to the Play Store and has been proven time and again to quickly address any potential issues that fall through the cracks. Avoid installing apps from other sources that might not be so diligent.

Police your Permissions

One of the longest standing complaints I’ve had about the Android platform is the unnecessarily permissive app requests. For example, if you’re downloading a simple game like Angry Birds, why does it need access to your contact list? Unfortunately, Android users are in a pickle. If you want to use the app, you have to accept the permissions. There’s really no way around it. So, when you’re installing an app, just review these carefully and ask yourself if it’s really necessary.

Conclusion

At the end of the day, due diligence pays off. Knowing what you’re installing and having confidence in the source, as well as paying attention to anomalies, all go a long way to keeping your device safe. Perform regular maintenance on your device by checking for rogue apps and deleting any files that aren’t needed. Take the chance to reduce the attack surface wherever you can and you’ll make yourself a harder target to hit.

Profiling a WordPress Attack

Hacking the Hackers

WordPress SecurityWelcome back to those of you playing along at home. This site has been down for a considerable amount of time, but I’m back! And I bring with me tales from the battlefield. Let’s talk a little about WordPress and security, shall we?

A WordPress honeypot

Some time ago, while doing maintenance on the site, I identified an opportunity for a research project. I decided it would be fun to turn the WordPress installation into a honeypot and collect some threat intelligence.  I decided it was time once again to delve into the current state of WordPress security. So I disabled the security controls, stopped updating the software and sat back to watch the world burn.

It didn’t take long before I started seeing scans pour in. And in a matter of days I captured some malware and began to catalog the attack patterns of WordPress attackers. It’s fascinating to see the evolution of PHP malware as related to WordPress specifically. I spent some time doing extensive research into the breach, analyzing the attack patterns, and even tracing the honey data that was posted in various parts of the internet. Eventually I’ll be writing that up as a blog series later in the year to show you how it all played out, but for now I’m getting things back online and ready to roll it out, so here we go!

So welcome back and thanks for joining me for the next chapter of the adventure! I’ll be repopulating the database in the near future to re-establish a lot of the old content, and going forward if there is content you like please say so and I will mark it for salvation in case this happens again. As always, if you have questions or if there is some content you’d like to see covered here, don’t hesitate to contact me! I’m always happy to engage others and to push myself to produce desired content. I appreciate you for taking the time to visit and hope to see you around the internet.

Grand Re-Opening