Why Android explosion is attracting cyber criminals on the dark web

By Param Singh, Carbon Black

Google's Android operating system, which has transformed the smartphone market landscape, is powering more than two billion devices (including phones, tablets, televisions, etc.) and has just started to pick up speed in the enterprise world.

Such explosive growth is catching the attention of cyber criminals. Already we are seeing an uptick in Android ransomware kits in underground markets, selling for a much higher prices. Carbon Black's research discloses that the median price of ransomware targeting Windows OS is $10, while Android-capable ransomware has a median range of $200.

Android ransomware is sure to proliferate in parallel with hardware advances as devices such as smartphones and tablets are rapidly replacing other gadgets we use both at home and in the workplace. Some estimate there will be more than six billion smartphones by 2020. Many of these devices are being used for everything ranging from web browsing, paying bills, online banking, digital wallets and storing personal information, to being used for point-of-sale payments.

Securing these devices must become a top priority in both enterprise and home environments.
Many enterprises are struggling between BYOD (bring your own device) adoption and developing security strategies for smartphones and tablets. Since most strategies from a typical enterprise security procedure list (such as installing security patches, running latest OS, application whitelisting, etc.) apply to mobile, creating a separate mobile security strategy is not advisable.

Instead, smart device security policies should be crafted to match the overarching security strategy. That said, BYOD is a double-edged sword. On one hand, it provides flexibility to employees and on the other, not having ownership of the device makes its management tough.

Android (in)security

Android phones comprise more than 85 per cent of the smartphone market, making Android the most prominent - thus highly targeted - smartphone platform. The fundamentals of cyber-crime economics that favoured PC malware in the desktop and server world also hold true for smartphones. Cyber criminals tend to target the most prevalent platform, aiming to infect as many victims as possible and increasing their opportunities to steal more money.

Platform fragmentation

Another aspect of the Android marketplace that has benefited attackers is its fragmented adoption of software updates. Even a year after its release, only 17 per cent of Android devices run Nougat 7.0 while only 3 per cent are running Nougat 7.1, its incremental update. By contrast, Apple iOS 11 reached 52 per cent of Apple's smartphones in less than two months. Recent research on Android fragmentation issues disclosed that more than 1 billion Android devices have not been updated for two years, and probably never will be.

Comparison of Android 17 per cent (in an year) vs. Apple 52 per cent (in two months) platform update adoption

This fragmentation and lag in adoption of the newer Android upgrade is a major reason behind its perceived insecurity. Google has worked hard in past years to bring improvements to its Google Play store, with application sandboxing, user permissions, device encryption, vulnerability disclosure programs, etc., but unless it tackles the fragmentation issue, there will always be malware families targeting Android users whose smartphones are not fully updated.

By not having full control over hardware, any update in the Android platform could potentially impact manufacturers, OEMs, carriers and users across the globe. While this diversity of hardware and manufacturers is the reason why Android is running on two billion systems, it also increases the complexity of coordinating efforts to reduce fragmentation by updating and patching. Most threats to the Android platform could be eliminated easily if users upgrade their smartphones to the latest version.

Many smartphone users believe Android is more vulnerable simply because it is open-sourced, although this is simply not true. They feel that making any software open-source allows malicious hackers to see more easily how an application works. Yet open-source also makes it easier for everyone else who is interested to look through code, add enhancements and report security vulnerabilities.

Another benefit of open-source software is the rapid manner in which patches or fixes to high-severity bugs are added. In contrast, commercial vendors have longer update cycles due to resource availability, project priorities and strict release cycles.

A skilled, malicious hacker will find bugs in an application regardless of whether or not he or she has access to code, but having a closed-source application will definitely deter hobbyists and volunteers from collaboration and fixing bugs. The rapid development and improvement of Android is somewhat fuelled by its being an open-source platform.

Google Play security

Google provides a centralised market, 'Google Play' for mobile applications. However, Android users can also install apps from third-party markets such as Amazon. While most of these markets are reputable and safe, there are also underground app marketplaces which provide popular commercial/paid apps for free. These markets are popular in the low-price, low-budget markets in developing countries, where Android is most popular.

In the past, malicious hackers have decompiled popular apps, added their malicious code, repackaged the app, and hosted it in popular underground marketplaces which give away these commercial apps for free.
Earlier this year, criminals used this tactic to craft a fake copy of King of Glory, a popular Chinese game, and modified it to spread ransomware that mimicked WannaCry. As per Wikipedia, King of Glory has more than 200 million monthly players, which makes putting out repackaged, fake applications a great avenue for criminals to lure victims, and is a serious security problem.

Security-aware Android users stay away from third-party stores and tend to install applications only via Google Play. Yet there have been reports of malicious apps where criminals were able to bypass Google vetting processes and infect end users. Such incidents create doubt in the mind of Android users, who want to trust and use Google Play. A recent example was the BankBot trojan that bypassed Google vetting process three times, and even received the Google Play Protect verified application badge.

Another example is the recent discovery of a fake version of WhatsApp by Redditors that fooled more than a million users into downloading it. In this case, the fake application was just the original application but with advertisements that made money for the malicious uploader.

Fake WhatsApp on Google Play Store with 1 million downloads

Android malware and ransomware

With the increasing use by businesses of smartphone, tablets and other BYOD devices, these will become targets of cyber criminals sooner rather than later. Using long-time successful tactics and toolsets, such as 'malware generators', criminals have created malware variants with minimal coding experience that previously targeted desktop environments. Such generators require users to specify a ransom note and an application icon, which produces an APK file that cyber criminals can distribute using various techniques such as Double-Locker that posed as Adobe Flash Player via a compromised website.

A common technique seen in these generators is 'code obfuscation', which is similar to what web exploit-kit developers have used for many years to bypass detection of malicious java scripts. Cyber criminals are now using this technique to obscure the code, such as encoded parameters in APK files bypassing security-screening processes that rely on automated code-level reviews.

Earlier, most fake applications were typically involved in sending premium-rate SMS messages and stealing financial credentials. But as those attacks become tougher and crypto-currency such as Bitcoin gains popularity, we believe ransom-based attacks such as screen-lock and file-encryption will gain popularity.

Android Locker ransomware being sold in dark-web for a premium price

While the number of Windows ransomware kits on the dark web overshadow any other platform, we are noticing premium kits with a median range of $200 targeting Android. We believe these attacks will target smartphones, tablets and other Android devices very soon.

For a successful campaign, such as the fake WhatsApp application that was on Google Play and downloaded by more than a million users, the criminals' return on investment can be enormous.


While there are flaws in the Android ecosystem, it has come a long way in the 10 years since its initial release. At a recent event where security researchers competed to find and exploit vulnerabilities, there was no vulnerability reported for Google's Pixel 2 phone, compared to Apple iOS 11 which was hacked both on November 1 and November 2. With control over its hardware, one of the important security features of Pixel phones is the immediate access to latest Android OTA (over-the-air) updates.

Hopefully this will solve the platform fragmentation issue and the slow adoption rate of Android upgrades when compared to Apple. By frequently updating the OS and applications with the latest revisions and patches, users will be much safer.

It is also important to use only Google Play or trustworthy sources (e.g. Amazon). Although in the past some malicious applications have made their way into Google Play, it is still the most trusted and safest way of installing applications. Google has continuously improved its screening process and is prompt in removing malicious applications after disclosure or detection. Users should not be lured into installing applications from dubious third-party sources that give away paid apps for free.

To determine if an application is legitimate or not, users should always review an application's reputation, user feedback, app verification, and prevalence data to make an educated decision before downloading and installing.

Special attention should be paid to the permissions requested by mobile apps, which may indicate malicious behaviour. Proactive users should also enable Google Play Protect's 'scan device for security threats' feature to detect harmful applications when downloaded and on a routine basis.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareGoogle Androidransomwarecyber securityCarbon Black

More about AdobeAmazonAppleApple.Carbon BlackGoogleWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Param Singh

Latest Videos

More videos

Blog Posts