Android malware has started abusing the Google Cloud Messaging (GCM) normally used to push data to and from legitimate apps as a sneaky command and control channel, Kaspersky Lab has noticed.
Launched by Google in 2012, the free GCM service is now used by most Play Store apps for a variety of tasks including synchronisation, alerting the user, and even exchanging larger messages up to a maximum 4Kb in size.
A more recent update allows it to be used by the Chrome browser to communicate with apps, for instance allowing the same app on different devices to remain in synch.
It seems that malware writers have noticed GCM’s potential, including some of the most successful rogue apps targeting Android.
According to Kaspersky, a prime example is the rapacious and hugely successful toll fraud FakeInst.a, which the firm has blocked from installing 160,000 times, mostly in its Russian and Ukrainian heartland.
The GCM channel is crucial to its multi-purpose behaviour. Although it can generate shortcuts to malicious sites, delete messages and fire up adverts for other malware apps, it can also be instructed to send premium rate SMS texts when it receives the right command, Kaspersky said.
The same applies for Agent.so, which also uses GCM to retrieve updates. Although less common, this app is noteworthy for mostly targeting UK Android users where the firm spotted install attempts on 6,000 occasions.
Possibly the most interesting of all is OpFake.a, 1 million installers for which have been detected by Kaspersky Lab. With the gamut of Android malware behaviours, including stealing data, its creators dovetail their own C&C channel with experimental use of the GCM, possibly as a backup.
“It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service,” said Kaspersky Lab’s Roman Unuchek.
“Even though the current number of malicious programs using GCM is still relatively low, some of them are widespread. These programs are prevalent in some countries in Western Europe, the CIS, and Asia.”
Android malware writers are probably experimenting with the GCN because it is currently much harder to block than conventional C&C, which uses hardcoded servers; it is also rapid by C&C standards.
As Kaspersky points out, blocking GCM as a back channel would require Google itself to nix the developer accounts used to generate legitimate GCN IDs; security apps would be unable to do this on their own.
What is already known is the dominance of Russian crimeware organisations over the mobile malware business with as few as 10 gangs believed ot control a large portion of the SMS toll fraud scams alone.