Android malware now abusing Google Cloud Messaging channel, Kaspersky reports

Sneaky commmand and control

Android malware has started abusing the Google Cloud Messaging (GCM) normally used to push data to and from legitimate apps as a sneaky command and control channel, Kaspersky Lab has noticed.

Launched by Google in 2012, the free GCM service is now used by most Play Store apps for a variety of tasks including synchronisation, alerting the user, and even exchanging larger messages up to a maximum 4Kb in size.

A more recent update allows it to be used by the Chrome browser to communicate with apps, for instance allowing the same app on different devices to remain in synch.

It seems that malware writers have noticed GCM's potential, including some of the most successful rogue apps targeting Android.

According to Kaspersky, a prime example is the rapacious and hugely successful toll fraud FakeInst.a, which the firm has blocked from installing 160,000 times, mostly in its Russian and Ukrainian heartland.

The GCM channel is crucial to its multi-purpose behaviour. Although it can generate shortcuts to malicious sites, delete messages and fire up adverts for other malware apps, it can also be instructed to send premium rate SMS texts when it receives the right command, Kaspersky said.

The same applies for, which also uses GCM to retrieve updates. Although less common, this app is noteworthy for mostly targeting UK Android users where the firm spotted install attempts on 6,000 occasions.

Possibly the most interesting of all is OpFake.a, 1 million installers for which have been detected by Kaspersky Lab. With the gamut of Android malware behaviours, including stealing data, its creators dovetail their own C&C channel with experimental use of the GCM, possibly as a backup.

"It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service," said Kaspersky Lab's Roman Unuchek.

"Even though the current number of malicious programs using GCM is still relatively low, some of them are widespread. These programs are prevalent in some countries in Western Europe, the CIS, and Asia."

Android malware writers are probably experimenting with the GCN because it is currently much harder to block than conventional C&C, which uses hardcoded servers; it is also rapid by C&C standards.

As Kaspersky points out, blocking GCM as a back channel would require Google itself to nix the developer accounts used to generate legitimate GCN IDs; security apps would be unable to do this on their own.

What is already known is the dominance of Russian crimeware organisations over the mobile malware business with as few as 10 gangs believed ot control a large portion of the SMS toll fraud scams alone.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile &ampPersonal TechGoogleNetworkingsecuritywirelesskaspersky lab

More about GoogleKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts