[March 1: See update at end]
Google Code is a well-known platform that provides a collaborative environment for developers working on open source projects. It’s also a target for malware developers. Contrary to what you may think, this is not the first time that Google Code has been used to spread or store malware. (You can find examples in the discovery of uploaded images that led to fake codecs in 2009 and in Windows Trojans/backdoors/password-stealing keyloggers found in 2010.) Further, we have recently found an Android malware that uses Google Code as a distribution platform for both potentially unwanted programs (pay-per-install campaigns or adware) and malicious applications (downloaders).
The first variant of the current malware in Google Code was found in a third-party Android market repacked in a Chinese version of a legitimate memory-optimization application. Every time the application executes or the boot process finishes (device rebooted or turned on), the payload starts as a service running in the background. The service checks a remote server (with the URL encoded in a file inside the “assets” folder) for applications to download that store information in a database created inside the device. (Click the image to enlarge it.)
The data obtained from the web server includes the name of the package, the name of the apk file, and the path used to download the application–which points to a Google Code project:
The database records whether a specific application was downloaded, installed, or opened. Once the data is stored, an execution thread downloads, without user’s consent, the first application in the database. This app is stored under the folder download in the SD card:
As soon as the download finishes, the malicious application tries to install the application by displaying a notification that tricks the user into believing it is a system update. (Translation from Chinese: 系统更新 = “System update” and 您好, 已经获取… = “Hello, the latest patch has been downloaded, please click here to install”):
When the user taps that notification, the downloaded application starts to install using the normal Android procedure. Suspicious applications stored in several Google Code projects have been analyzed; some of them have been classified as PUPs because they have unwanted behavior such as sending private data (IMEI, phone number) to remote servers. Researchers have found a new variant of the malware that, instead of being packed in a legitimate application, is pure malicious code which does not show any icon in the main menu. However, it can be seen installed in the Downloaded section of Manage Applications using a deceptive honeycomb icon and the title Android 3.0 Patch:
Although none of the analyzed samples contains root exploits, this variant has code to check if the device is already rooted. If so, it will proceed with a silent install of the downloaded application with the command “pm install –r.” Another difference with the variant in the Google Code project is that the malicious behavior starts only if the screen of the device is turned off, probably to make the system update appear normal.
Despite the fact that most of the applications available in Google Code projects are neither malicious nor PUPs, the links stored in the remote server, along with the text of the notification, can change at any time. Thus virtually any application can be installed on the device without the user’s consent. McAfee Mobile Security detects all these variants as Android/FakeUpdates.
Update: The affected projects have been removed by Google.