What You Need to Know About Android Trojans
The story of the Trojan Horse originates from an ancient battle between the Greeks and their siege of the city of Troy. As the tale goes, the Greeks, after trying to defeat Troy for 10 years, built a huge wooden horse — a supposed token of victory to the Trojans. They wheeled the large statue to the gates of Troy, then pretended to sail away. The Trojans pulled the horse inside the gates, not knowing that a Greek invasion force lay hid inside. When night fell, the Greeks crept out of the horse, opened the gates, and allowed the rest of the Greek army in — they’d sailed back under cover of night. Long story short: the Greeks entered and destroyed the city of Troy, ending the war.
What’s that got to do with Android?
Metaphorically a “Trojan Horse” has taken on the meaning of any sort of trick or stratagem which causes a target (you) to invite a foe (“bad guys”) inside its walls. Today we’re familiar with a class of software called “malware” — malicious software — that has plagued computer users for decades. In law, malware is sometimes known as a “computer contaminant”. In practice, malware can be much more than a simple “contaminant”.
Malware is a somewhat generic term that includes computer viruses, trojan horses, worms, ransomware, rootkits, keyloggers, spyware, adware, dialers, and other malicious programs. According to Microsoft, the majority of malware threats are usually worms or trojans, rather than viruses per se1.
The lines differentiating the various types of malware are often very blurred, with one “computer contaminant” being classified as multiple types of malware. For the purpose of this article we’ll use the more generic classification of a “trojan” as any software that includes an unwanted or unknown payload that’s “delivered” after you’ve willingly installed the “horse” program, and we’ll use some of the terms interchangeably. Fair enough?
Trojan Horses on Android are typically disguised as legitimate software. That’s what makes them so sneaky. Unlike the “olden days” of desktop computing, apps that run on our smartphones and tablets typically come from trusted sources like Google’s Play Store, the Amazon Appstore, or some other “store”. People, just like you and I, go to an app store, search for an app, download, and install it.
These “stores” typically allow any app to be included in their catalog without doing any kind of validation on what the software actually does. Other stores, like those for Apple and Microsoft Phone devices, don’t automatically include apps. Instead they require all apps to go through an approval process.
Unfortunately, this “approval” process doesn’t typically include a code review — at least not one looking for malicious code. Instead, these reviews are veiled in secrecy, with developers being told they are done to “ensure adherence to app guidelines”, or some similar wording. Malicious apps still get through. Anyone who thinks these so-called “reviews” will protect them from trojans or malware is embracing a fantasy. Security through obscurity isn’t real security, it’s just a false sense of safety.
Google hasn’t sat idly by. They routinely run scans on every app in the Play Store to ensure they don’t have malicious code hidden within the apps in their catalog. They also update their scanners with newly discovered malware to help scrub their store of anything that shouldn’t be there. Google also has the ability to remotely remove apps they’ve identified as malicious and can even repair the damage done by most of those apps.
Unlike their competition, Android apps don’t have to come from Google’s Play Store. There are several third-party app market places available, and most users can even “side-load” apps directly onto their devices, bypassing any kind of “store” (and whatever moderation may come from it) entirely.
To address this last circumstance, Google has included an optional security scanner in Android 4.2+ that will verify your apps to see if they contain anything that could be considered “harmful behavior”. While this is only Jelly Bean and above, we suspect all Android-powered devices will include this functionality — eventually.
Some notable Android “trojans”
DroidDream is an app that was included in Google’s Play Store and collected information from infected devices including the unique numbers cellular providers use identify handsets and SIM cards. Using this information “cybercrooks” could potentially clone your SIM card, allowing them to read your text messages, send premium-rate SMS messages, and more.
Fakeneflic is a malicious copy of the popular Netflix app. Its “payload” was stealing the log in credentials of your Netflix account so the thieves could do who-knows-what with them. Maybe they just wanted to watch Sneakers.
GGTracker targets U.S. Android users and milks money from their cellular account through a series of premium SMS subscription services.
Nickispy is a app with a somewhat legitimate purpose: some Chinese apps stores are marketing it as a way to see if your spouse or significant other is cheating on you. The app itself steals location information gathered by GPS and Wi-Fi, and records phone calls and text messages, then sends all this to a remote site without the user’s knowledge.
The list goes on and on, but they all are essentially variants on the same themes: steal information, gather money through text messaging, spy on your location, and/or spy on your conversations.
How can you stay safe?
Read the permissions. Whenever you install an app, whether from the Play Store or anywhere else, you’re told what permissions you’re giving the app. If you don’t think that battery saver needs access to send text messages, for example, cancel the install.
Check the reviews. Unless you’re installing an app that’s less than a few minutes old, it probably has more than a few reviews written about it. Generally speaking, those reviews should give you a pretty good picture of whether or not the app is any good. People can lie in the reviews, but if you see more than a few users telling you to stay clear of the app, you might want to do just that.
Avoid “shady” apps. There’s no such thing as a free lunch, and an app that seems too good to be true probably is. Apps that imply they can enable you to do illegal, immoral, or unethical things should also be avoided — not because of the type of activity they allegedly enable (who am I to step on your values or belief system?), but because the “bad guys” often prey on the type of user that that installs this sort of software by including malicious code in them.
Do you need a virus scanner?
Are you following all the “how to stay safe” tips we mentioned above? If so, you probably don’t “need” a virus scanner. In all the time I’ve owned Android-powered phones and tablets I have never — not once — been infected. My kids and even my wife, however, have been hit by some adware and one app that allegedly stole browser history. All of these infections would have been prevented if they’d have read the permissions, checked the reviews, and remembered that “there’s no such thing as a free app”.
What do I mean “there’s no such thing as a free app”? Of course there are! Just look in the Play Store! They’re all over the place! While it’s true that some apps don’t cost you money out-of-pocket to download and install on your device, virtually every app you see costs something. Some require a subscription (like Netflix and Hulu+), others require an account (like Facebook, Twitter, Google+, Pinterest, and LinkedIn) which make money off you in various ways, others present advertisements to you, and some are advertisements in and of themselves. Before you install a “free” app, ask yourself “how is the app developer paying for his or her time to make this app?” If you can’t fugure out the answer, you may want to avoid the app.
Ultimately, every one of the smartphones and tablets in my house is now running Lookout. This app not only takes care of malware identification and removal, it also can serve as a middle-man when making calls or sending texts from apps (unless you tell it not to). It also handles basic backups, includes lost-phone recovery services, and even has the ability to remotely wipe your device. It’s a “freemium” app, meaning the basic features are free, but more advanced features are available through a purchased subscription. I use the basic, free version.
There are many other antivirus solutions out there, and I’m not advocating one above another. Use what you think is right for you — or nothing at all if you can abide by the simple rules of “how to stay safe”.
What about you?
Do you use an antivirus program? Why or why not, and which one? Have you been hit by a virus or trojan? If so what was the damage? What methods do you use to keep yourself safe? Let us know all these any any stories that you’d like to share in the comments!