跳到主体内容

Old Android Devices at Risk from Automatically Downloaded and Executed Malware

2016年5月11日

While observing the activity of several cybercriminal groups, Kaspersky Lab researchers have spotted unusual activity in a malicious script, on an infected website, which is putting Android users at risk

While observing the activity of several cybercriminal groups, Kaspersky Lab researchers have spotted unusual activity in a malicious script, on an infected website, which is putting Android users at risk. The script usually activates the download of Flash exploits, to attack Windows-users. However at some point it has been changed so it can check the type of device its victims are using, searching specifically for Android version 4 and older. Spotting the danger, Kaspersky Lab experts decided to delve deeper.

Infecting an Android device is much harder for criminals then infecting a Windows PC. The Windows OS - and a lot of widespread applications for it – contains vulnerabilities that allow malicious code to be executed without any interactions with a user. This is not generally the case with the Android OS, as any application installation requires confirmation from the owner of an Android device. However, vulnerabilities in the OS can be exploited to bypass this restriction. And, as our researchers discovered during their investigation, this does happen.   

The script is a set of special instructions for execution in the browser, embedded in the code of the infected website. The first script was discovered while it was looking for devices operating on the old versions of Android OS. Two more suspicious scripts were also detected subsequently. The first one is able to send an SMS to any mobile number, while the other creates malicious files on the SD-card of the attacked device. That malicious file is a Trojan, and it has the ability to intercept and send SMS messages. Both malicious scripts are able to perform actions independently from the Android user: you would only need to occasionally visit an infected website, to be compromised.

This was made possible because cybercriminals have utilized exploits to several vulnerabilities in Android versions 4.1.x and older - CVE-2012-6636, CVE-2013-4710 and CVE-2014-1939 in particular. All three vulnerabilities were patched by Google between 2012 and 2014; but the risk of their exploitation still exists. For example, because of the Android ecosystem characteristics, many vendors producing Android-based devices are releasing the necessary security updates too slowly. Some don’t release updates at all because of the technical obsoleteness of a particular device model.

“The exploitation techniques we’ve found during our research were nothing new but borrowed from proof of concepts, previously published by white hat researchers. This means that vendors of Android devices should account for the fact that the publication of PoCs would inevitably lead to the appearance of “armed” exploits. Users of these devices deserve to be protected with corresponding security updates, even if the devices are no longer being sold at the time,” - said Victor Chebyshev, security expert at Kaspersky Lab.

In order to protect yourself from drive-by attacks, Kaspersky Lab experts advise the following:

  • Keep your Android-based device software up-to-date by enabling the automatic updates function;
  • Restrict the installation of applications from alternative sources to Google Play, especially if you’re managing a collection of devices used in corporate networks;
  • Use a proven security solution. Kaspersky Internet Security for Android and Kaspersky Security for Mobile with Mobile Device Management are capable of detecting changes on the SD-card of device in real time, and thus protects users against the drive-by attacks described above.

Read more about drive-by attacks against Android-based devices on Securelist.com

Old Android Devices at Risk from Automatically Downloaded and Executed Malware

While observing the activity of several cybercriminal groups, Kaspersky Lab researchers have spotted unusual activity in a malicious script, on an infected website, which is putting Android users at risk
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻