Site icon IT World Canada

Understanding Android Malware Families (UAMF) – The Trojan: An impersonator in the background (Article 2)

New malware email on android

Source: Sitthiphong | Getty Images

Introduction

The trojan is a sneaky impersonator that behaves like a legitimate program. It can hide in the background and steal information from the device. Trojan samples often delete, modify, block, and copy data to disrupt services provided by the operating system. It is the most significant malware category representing several Trojan categories, including Trojan-Banker, Trojan-Dropper, Trojan-SMS, and Trojan-Spy. This article uncovers prominent Trojan categories and provides deep insights into functions, activities, and communication processes used by famous Trojan families. It presents imperative indicators to understand that smartphones are infected by Trojan malware. It also digs deeper into technical features that can detect Trojan on a smartphone. Finally, the article introduces some preventive measures to protect the device from Trojan families.

 

In case you missed it

Understanding Android Malware Families (UAMF) – The Foundations (Article 1)

 

Trojan categories and families

The prominent Trojan malware categories include Trojan-Banker, Trojan-Dropper, Trojan-SMS, and Trojan-Spy. This section discusses the pertinent functions performed by each of these malware categories and names some important malware families under these malware categories. Figure 1 shows an overview of Trojan malware categories.

Figure 1: Trojan Malware Categories

 

Trojan-Banker: Trojan-Banker is a malware category that targets banking institutions. It is designed to access confidential information processed during online banking transactions. For example, when a user accesses his online banking payment system to transfer an amount, Trojan-Banker may access the user’s confidential information such as bank account number, credit card details, date of birth, and account balance. The curious question that comes to mind is, “from where this malware comes to target a banking system?” The logical answer to this question is that it is installed in one way or the other on the target computers. It may come embedded with genuine software that the user installed on his machine without knowing that it contains a Trojan. Trojan-Banker is legitimate software until it is installed on a computer system. Once installed, it may gain unauthorized access to steal user’s files and systems. In more severe cases, it may transfer a handsome amount of money from a user’s account. Let us take an example in which a user received a phishing email from an attacker that appears to be sent by his bank. The email asks him to urgently change the password of his online banking system due to security reasons. It also provides a link at the bottom of the text to open the banking portal. Unconscious and the scared user will believe in the requirement to click the link in the email to change their password. As soon as he clicks the link, a phishing web page is opened that appears remarkably like the genuine banking online portal. The user enters his login name and password and clicks on the submit button. The attacker grabs his username and password to do whatever he can. Some famous Trojan-Banker families include asacub, fakebank, faketoken, marcher, minimob, bankbot, gugi, wroba, zitmo, svpeng, and guerrilla.

Trojan-Dropper: Trojan-Dropper is a helper malware that drops additional malware on the infected device. It does not perform any malicious activity independently; instead, it supports the malicious activities performed by other Trojan categories. It downloads and installs legitimate-looking malicious files on the infected smartphone and decompresses some harmless files. Trojan-Dropper removes itself automatically after installing the malware. Some common activities that result in downloading and installing malware include visiting malicious websites, opening suspicious attachments, and downloading unknown free applications. For example, a user downloads a radio streaming APK from an online Android application store. The application is played by FM radio channels at different frequencies. However, the user observes that the smartphone keeps awake unnecessarily after downloading the radio application. On digging deeper, a reverse engineer identified that apart from playing radio channels, the application is performing some malicious activities such as accessing the network state of the phone, installing additional applications without user consent, deleting some files from the phone, mounting file systems, visiting malicious and unknown websites, and keeping the phone awake when all these activities are being performed in the background. The radio streaming application acts as a Trojan-Dropper that itself is not malicious. Still, it comes bundled with a bunch of malicious APKs that get installed with this APK and then start doing malicious things on the target device. Some famous Trojan-Dropper families include cnzz, locker, rooter, xiny, boqx, hqwar, ramnit, ztorg, and gorpo

Trojan-SMS: Trojan-SMS is primarily involved in sending Short Message Service (SMS) from an infected mobile device. It accesses the telephony manager of the Android operating system by virtue of which it can access the contact list on the infected device and send short and multi-part text messages to other contact numbers accessed from the contact list of the infected device. The critical part of the activities is that these activities are performed without the user knowing about them. There is a fee associated with sending text messages to premium-rate SMS numbers. Therefore, the victim is financially targeted by Trojan-SMS. As an aftermath of the malicious activities performed by Trojan-SMS, a user is notified of the unexpected charges of sending such messages from his phone. It is fascinating to mention that Trojan-SMS is installed automatically with some free applications that intend to provide some useful functionality. Some famous Trojan-SMS families include opfake, hipposms, podec, feejar, smsdel, plankton, jsmshider, smsbot, boxer, fakeinst, and vietsms

Trojan-Spy: Trojan-Spy is a spyware that spies on the infected cell phone. It is designed to steal information from the target device by several means. Trojan-Spy malware grabs the device information such as International Mobile Equipment Identity (IMEI) number, IP address, and list of installed applications. Some unusual activities performed by Trojan-Spy include switching the mobile ringer (for example, from normal mode to silent mode), sending and deleting SMS, accessing Wi-Fi and turning it off, and connecting to available Wi-Fi access points other than the one to which user is already connected. Some famous Trojan-Spy families include spynote, kasandra, spyagent, spyoo, tekwon, sandr, qqspy, smforw, smsthief, smszombie, and spydealer

 

Table 1 provides a brief description of the Trojan categories and lists some common malware families under them.

Table 1: Summary of Trojan categories

Malware Category General Description of Behavior Common Malware Families
Trojan An impersonator that hides itself in the background and disrupts the services provided by the operating system. autosms, gluper, hiddenapp, mobtes, qysly, boogr, subspod, drosel, autoinst, obtes, noicondl
Trojan-Banker Picks out banking system to steal username and password, and illegitimately transfers money from user’s account to attacker account. asacub, fakebank, faketoken, marcher, minimob, bankbot, gugi, wroba, zitmo, svpeng, guerrilla 
Trojan-Dropper Acts as a helping software to Trojan malware, drops additional malware, installs it, and removes itself automatically. cnzz, locker, rooter, xiny, boqx, hqwar, ramnit, ztorg, gorpo
Trojan-SMS Send text messages to premium contact numbers that result in unexpected charges to the target user. opfake, hipposms, podec, feejar, smsdel, plankton, ksmshider, smsbot, boxer, fakeinst, vietsms
Trojan-Spy Spies target cell phones to steal device information such as IMEI number, IP address, and list of installed applications. spynote, kasandra, spyagent, spyoo, tekwo, sandr, qqspy, smforw, smsthief, smszombie, spydealer

 

Imperative indicators to detect Trojan on a smartphone

There are several general and technical indicators that help detect a Trojan on a smartphone. This section delves into both types of indicators.

General indicators: Following general indicators point at the presence of Trojan malware that are easy to observe on an infected mobile device:

 

Technical indicators: Following technical indicators hint that the smartphone is infected by a Trojan malware: 

Technical features that can detect Trojan

Based on our research in a representative Android dataset, named CCCS-CIC-AndMal-2020, published in collaboration with Canadian Centre for Cyber Security (CCCS) and the Canadian Institute for Cybersecurity (CIC), there are certain set of features that can be used to detect Android malware, especially Trojan. Figure 2 presents high ranked features that detect Trojan with high accuracy. These features are divided into three categories: memory, network, and API.

Figure 2: Features to detect Trojan with high accuracy

 

Memory features: Memory features define activities performed by malware by utilizing memory.

Network features: Network features describe the data transmitted and received between other devices on the network. It indicates foreground and background network usage.

API features: Application Programming Interface (API) features delineate the communication between two applications. Whenever a user browses some information in a browser, checks weather forecast, sets a timer, or uses Twitter on phone, he is using an Android API in the background.

What to do if your device is infected with Trojans?

To stop the Trojans from doing any further damage to the device, it is important to remove them by following the steps mentioned below:

Preventive measures to protect your device

Here are some imperative preventive measures that can be adopted to protect your device from the havoc created by Trojan Malware.

Conclusion

This article brings forward the fundamentals of Trojan malware categories and families. It is equipped with malicious functions performed by Trojans on the target device. We established imperative indicators of compromise that point to the fact that the phone is infected by Trojan families. Based on our public dataset on Android malware, named CCCS-CIC-AndMal-2020, we open on technical features that are extremely useful to detect Trojan families. We divided these features into three types: memory, network, and API. As a non-technical person, every smartphone user must know the things that can be done if a Trojan is detected on a smartphone. We introduce the primary steps that can be performed if a Trojan is detected. Finally, the article introduces preventive measures to protect the device. The next article of the UAMF series will dig into ransomware (a crypo-locker) and scareware (a fear coaxer) malware categories.

Exit mobile version