Cybercriminals use Google Cloud Messaging service to control malware on Android devices

Kaspersky Lab researchers identified Android malware threats that receive commands from attackers through the Google Cloud Messaging service

Cybercriminals are controlling malware on Android devices through a Google service that enables developers to send messages to their applications, according to security researchers from antivirus vendor Kaspersky Lab.

Google Cloud Messaging (GCM) for Android allows developers to send and receive different types of messages to and from applications installed on Android devices. A developer can, for example, send messages that contain up to 4KB of structured data from a server the developer owns through a Google-run GCM server to all user installations of the developer's GCM-enabled apps. The applications don't even have to be running on user devices as the received messages will be broadcast by the Android OS and the targeted apps will be woken up.

The GCM message data can include links, text advertisements or commands, said Roman Unuchek, a senior malware analyst at Kaspersky Lab, Wednesday in a blog post.

Researchers from the antivirus company have already identified multiple Android malware threats that use GCM as a primary or secondary command-and-control channel.

One of them is called Trojan-SMS.AndroidOS.FakeInst.a and can send text messages to premium-rate numbers, delete incoming text messages, generate shortcuts to malicious sites and display notifications advertising other malicious programs as useful apps or games, Unuchek said.

Kaspersky found over 4.8 million installers for FakeInst.a to date and during the past year the company's mobile antivirus product blocked over 160,000 attempted installations of this Trojan program, the researcher said. FakeInst.a was detected in over 130 countries, but it primarily targets users in Russia, Ukraine, Kazakhstan and Uzbekistan, he said.

Another Android malware threat that uses GCM to receive commands and updates is called This malware program is usually disguised as a porn app, but like FakeInst.a, its purpose is to send premium-rate text messages and display ads in the Android notification area.

"In total, KMS blocked over 6,000 attempts to install," Unuchek said. "This Trojan targets mainly mobile devices in the UK, where 90 percent of all attempted infections were detected."

Other Android malware programs that use GCM for command-and-control purposes and were identified by Kaspersky researchers include Trojan-SMS.AndroidOS.OpFake.a with over 1 million detected samples and 60,000 infection attempts, Backdoor.AndroidOS.Maxit.a with over 40 variants and 500 blocked installation attempts, and with over 1,000 modifications and 1,500 attempted installations.

One problem with GCM is that neither users nor mobile antivirus programs can block malicious messages received through it because they are delivered by the OS itself, Unuchek said via email. "Antivirus software cannot block system activities."

The only way to block this channel of communication between virus writers and their malware is to block the developer accounts whose IDs are being used to register malicious programs with GCM, he said. "We have informed Google about the detected GCM IDs that are used in malware."

There isn't currently a large number of malware programs that use GCM, but those that do exist are widespread in some parts of western Europe, the Commonwealth of Independent States (CIS) and Asia, Unuchek said.

GCM seems to be a very cheap and easy instrument for cybercriminals to use, so it's likely the service could be abused to a greater extent in the future unless the bar for cybercriminals is not raised higher through countermeasures, the researcher said.

In addition to disabling developer IDs that are found to abuse the GCM service, it might also be a solution to actively analyze GCM messages for malicious content in a way similar to how intrusion detection systems analyze network traffic, Unuchek said.

Google did not immediately respond to an inquiry asking for information about the methods it uses to prevent malware writers from abusing the GCM service.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile applicationsAndroid OSGooglesecuritymobile securitymobilemalwarekaspersky lab

More about GoogleKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts