Android malware now abusing Google Cloud Messaging channel, Kaspersky reports

Sneaky commmand and control

Android malware has started abusing the Google Cloud Messaging (GCM) normally used to push data to and from legitimate apps as a sneaky command and control channel, Kaspersky Lab has noticed.

Launched by Google in 2012, the free GCM service is now used by most Play Store apps for a variety of tasks including synchronisation, alerting the user, and even exchanging larger messages up to a maximum 4Kb in size.

A more recent update allows it to be used by the Chrome browser to communicate with apps, for instance allowing the same app on different devices to remain in synch.

It seems that malware writers have noticed GCM's potential, including some of the most successful rogue apps targeting Android.

According to Kaspersky, a prime example is the rapacious and hugely successful toll fraud FakeInst.a, which the firm has blocked from installing 160,000 times, mostly in its Russian and Ukrainian heartland.

The GCM channel is crucial to its multi-purpose behaviour. Although it can generate shortcuts to malicious sites, delete messages and fire up adverts for other malware apps, it can also be instructed to send premium rate SMS texts when it receives the right command, Kaspersky said.

The same applies for, which also uses GCM to retrieve updates. Although less common, this app is noteworthy for mostly targeting UK Android users where the firm spotted install attempts on 6,000 occasions.

Possibly the most interesting of all is OpFake.a, 1 million installers for which have been detected by Kaspersky Lab. With the gamut of Android malware behaviours, including stealing data, its creators dovetail their own C&C channel with experimental use of the GCM, possibly as a backup.

"It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service," said Kaspersky Lab's Roman Unuchek.

"Even though the current number of malicious programs using GCM is still relatively low, some of them are widespread. These programs are prevalent in some countries in Western Europe, the CIS, and Asia."

Android malware writers are probably experimenting with the GCN because it is currently much harder to block than conventional C&C, which uses hardcoded servers; it is also rapid by C&C standards.

As Kaspersky points out, blocking GCM as a back channel would require Google itself to nix the developer accounts used to generate legitimate GCN IDs; security apps would be unable to do this on their own.

What is already known is the dominance of Russian crimeware organisations over the mobile malware business with as few as 10 gangs believed ot control a large portion of the SMS toll fraud scams alone.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GooglewirelessNetworkingkaspersky labPersonal TechMobile &amp

More about GoogleKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts