Have you ever wondered how some apps rocket up the charts so quickly? Sometimes you'll spot one that seems like a curveball, like a pub rock covers band hitting number one in the download charts.
At the recent Barcelona eCrime symposium ElevenPaths presented some new thinking on new Android malware trend called “Shuabang” – a term used in China to describe the shady methods whereby certain apps are being “gamed” in app stores to get them to the top of charts.
Get downloading – a whole industry in China
“Shuabang” is to app markets what "Black SEO" is to search engines and is sold as a service sometimes for a few hundred or thousands of dollars. This image of a factory line process, with workers employed solely to download apps to boost their ranking, was picked up widely in the media earlier in the year. But there's a stumbling block to the number of downloads you can get… Google accounts.
But to get their fake download rate up, companies would need thousands of registered accounts. There's only so many people you can employ to hit download all day and that isn't exactly an efficient way to run a business. This brings us to the question – “where can we get the other thousands of accounts?”
It's possible to steal them or buy them in the black market but that carries all sorts of risks. Then, of course, there's always malware – a malicious program that can do much of the heavy lifting for you by infecting numerous devices. But device IDs are required for downloading. You can't just invent device IDs either, as Google will spot them and ban the account from the outset taking you back to square one.
The big (Shua)bang
What Eleven Paths found was a new kind of malware spread via Google Play that associated fake accounts with existing device IDs. People infected with the malware were unknowingly giving away their own device's ID to the malware creators, which were then associated with these fake Gmail accounts.
The attacker created more than 12,000 Gmail accounts and made them available to malware providers via simple web requests. They then created a malicious app that sent a request for a Gmail account every ten minutes in the attackers' server. The program then simulated the whole registry process against Google services – thereby creating a new, seemingly human, profile. With this the attacker had all they needed to automate the Shuabang system.
These apps were disguised as downloads and spread in Google Play between September and November 2014, getting millions of downloads in the process. Users who thought they were downloading a wallpaper, for example, were actually feeding this army of fake accounts for a Shuabang company.
Steal, buy or... do it yourself with malware
ElevenPaths found and alerted Google about these apps, which were then removed. The team studied them and even had access to attackers servers. Victim's real accounts were not compromised, but the harm for them came in consumed traffic and the potential that their device ID could be banned for fraudulent use.
New malware methods
This attack was extremely interesting, not only for the code of the malware itself, but because they managed to fool Google Play by uploading these apps hundreds of times. Antiviruses were not aware of the attack until ElevenPaths told them, and they had to invent a new variant of malware to find them.
But the work did not stop there. ElevenPaths has been following the gang since the apps were removed and got to know about their new plans. They have found new malware that does not just associate an account with a device ID, but creates the Gmail account from scratch, although it's not believed this particular malware has spread yet.
What can the user do?
Commonsense is always the best policy. It's still very unusual for malware to take advantage of Android vulnerabilities so wider prevention is all about making users aware that they have to physically install the malware themselves. We'd recommend that people whitelist their apps, so they only install the most reputed programs. Here's a couple of tips to make sure you don't become a victim:
- Never install apps from outside Google Play, or markets you really trust. If in doubt, research the developer
- Never trust very "new" apps. Wait until they've been around few months and had a few thousands downloads
- Ban apps you do not feel comfortable with. If an app requires too many permissions, downloading it is probably a bad idea
- Use an antivirus on your phone
So next time you see an app that's simply too good to be true, the chances are it probably is. Prevention is always the best cure, so exercise due caution and don't let the Shuabangers get the better of you.
Contributed by Chema Alonso, CEO, Telefónica's ElevenPaths