Double trouble for Android

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 12 May 2016
Check Point and Kaspersky Lab unearthed major vulnerabilities in the Android OS.
Check Point and Kaspersky Lab unearthed major vulnerabilities in the Android OS.

Android, the most dominant operating system, faces more security challenges, with two global security companies discovering major flaws in a week.

Israeli-based cyber security company Check Point Software Technologies has uncovered a new Android malware campaign on Google Play, which it calls Viking Horde.

According to Check Point, Viking Horde conducts ad fraud and can also be used for other attack purposes such as distributed denial-of-service attacks, spam messages, and more. At least five instances of Viking Horde managed to bypass Google Play malware scans so far.

Check Point notified Google about the malware on 5 May.

Fellow security vendor Russian-based Kaspersky Lab also discovered old Android devices are at risk from automatically downloaded and executed malware.

Root cause

Check Point says on rooted devices, Viking Horde delivers additional malware payloads that can execute any code remotely, potentially compromising the security of data on the device. It also takes advantage of root access privileges to make itself difficult or even impossible to remove manually.

The company notes the most widely-downloaded instance of Viking Horde is the app Viking Jump, which was uploaded to Google Play on 15 April, and has racked up 50 000 to 100 000 downloads. In some local markets, Viking Jump is a Google Play top free app, it adds.

The oldest instance is WiFi Plus, which was uploaded to Google Play on 29 March, says Check Point. Other instances include the apps Memory Booster, Parrot Copter, and Simple 2048.

Doros Hadjizenonos, country manager of Check Point SA, says Viking Horde-infected apps have a relatively low reputation, which the research team speculates may be because users have noticed the odd behaviour, such as asking for root permissions.

Describing how Viking Horde works, Hadjizenonos says the malware is first installed from Google Play. He adds that while the app initiates the game, it installs several components, outside of the application's directory.

The components are randomly named with pseudo-system words from a pre-set list, such as core.bin,, android.bin and update.bin.

"They are installed on the SD card if the device is not rooted, and to root/data if it is. One of these files is used to exchange information between the malware's components. A second file contains the list of the generated names of the components, to make them available to all components," Hadjizenonos explains.

"The malware uses several techniques to remain on the device. Viking Horde installs several components with system-related names, so they are hard to locate and uninstall."

Unusual activity

Meanwhile, Kaspersky Lab says while observing the activity of several cyber criminal groups, it spotted unusual activity in a malicious script, on an infected Web site, which puts Android users at risk. The script usually activates the download of Flash exploits, to attack Windows-users, it notes.

However, Kaspersky says at some point, it had been changed so it can check the type of device its victims are using, searching specifically for Android version 4 and older. Spotting the danger, Kaspersky experts decided to delve deeper.

According to the security solutions company, infecting an Android device is much harder for criminals then infecting a Windows PC. The Windows OS - and many widespread applications for it - contains vulnerabilities that allow malicious code to be executed without any interactions with a user. This is not generally the case with the Android OS, as any application installation requires confirmation from the owner of an Android device.

However, it points out vulnerabilities in the OS can be exploited to bypass this restriction and, as researchers discovered during their investigation, this does happen.

"The exploitation techniques we've found during our research were nothing new but borrowed from proof of concepts, previously published by white hat researchers," says Victor Chebyshev, security expert at Kaspersky Lab.

"Users of these devices deserve to be protected with corresponding security updates, even if the devices are no longer being sold at the time."