Understanding Android Malware Families: Riskware – is it worth it? (Article 4)

Riskware is defined as a legitimate program that presents potential risks to the security vulnerabilities on a device. Although it is a legitimate program, bad actors use Riskware to steal information from the device and redirect users to malicious websites or perform functions at the expense of device security.

Typically, Riskware is associated with attackers who hijack devices, gain unauthorized access to devices, collect sensitive information, and disrupt services with the intent to steal information for misuse.

These vulnerabilities can pose legal risks and infringements. This article reveals prominent Android families and provides in-depth insights into the functions, activities and communication processes used by attackers. Readers will gain insights into the dangers and indicators of when a smartphone has been infected by riskware. In addition, the article delves deeper into technical features that can detect riskware on a smartphone. Finally, some preventive measures to protect the device from high-risk goods families are presented.

The technical details in this article stem from our public Android malware dataset called CCCS-CIC-AndMal-2020, published by the Canadian Institute for Cybersecurity CIC in collaboration with Canadian Centre for Cyber Security CCCS.

Activities and behaviour of riskware families

This section describes the relevant features of Riskware families. Figure 1 presents twenty-one Riskware families that we analyzed for this article. The most popular Riskware families include mobilepay, metasploit, revmob, smspay, smsreg, and talkw.

Figure 1

Riskware families collect personal and phone information, send/receive SMSs, steal network information, connect to malicious websites, install malicious content on devices, show malicious advertisements, and modify system settings and files on the compromised device. Table 1 presents the activities performed by riskware families.

Table 1: Activities performed by Riskware families:
Malware Family Data Media Hardware Actions Internet C&C Anti-virus Storage
AnyDown I2, I4
BadPac H1, H2 I1, I3
Deng D1 H1, H2 A1 I2
Dnotua A1 I1, I3
Kingroot D1, D5 H1, H3 A1 I3
MobilePay D2 I3, I4
Metasploit A1
Nqshield D3 I4
RemoteCode I3
RevMob D1 H1 I1, I2, I3, I4
Secneo D2, D5 M1, M2 H1, H2 A3 I1, I3
SkyMobi D1 H1 I3
SmsPay D5 I4
SmsReg D5 H1, H2 I1, I4
Talkw I2, I4
TenCentProtect H1 I1, I3
Tordow D2, D5 M1 A2, A3 I3
Triada D5 H1 A1
Wapron D1, D4 I2, I4
WiFiCrack H2 I1
D1: Collect personal information (phone number, email address, app accounts) and browser history

D2: Collect user contacts 

D3: Send / receive spam emails

D4: Steal banking credentials

D5: Send / receive SMS

M1: Make call / collect call history

M2: Record audio / use microphone

H1: Collect phone information (IMEI, ID, status)

H2: Get location (GPS)

H3: Lock phone or change PIN

A1: Ask for root privileges

A2: Block / delete / use phone apps

A3: Execute after phone reboot

I1: Steal network information (WiFi, IP, DNS)

I2: Access / redirect user to malicious websites

I3: Install malicious apps

I4: Show popup-ad, warnings, and notifications 


The following observations derive from table 1:

Important activities of high-risk families fall into 4 categories: 1) Collection of sensitive personal and phone information 2) Interaction with hardware 3) connection to the Internet, and 4) access to storage settings on compromised devices.

Some Riskware families such as Metasploit, tencentprotect and tordow connect to the Command and control (C & C server to remotely receive instructions and report collected data to a remote server that controls the Riskware).

Riskware families steal network information from the victim’s device, access malicious websites, install malicious apps, and display pop-up ads, notifications, and warnings.

In addition, a significant change in behaviour is observed in all of the Riskware families mentioned below:

  • Dnotua updates the message digest.
  • Jiagu accesses the wakelock service to keep it awake.
  • MobilePay Launches New Activities and Brings the message digest.
  • SmsReg is one of the largest families of Riskware, which mainly executes database queries.
  • Triada uses the SIM serial number to access cryptographic keys. WiFiCrack also accesses encryption keys.

Further analysis of similar families of Riskware compared to other Android malware families shows that Riskware families closely resemble some families of Adware and Trojan malware.

Types of riskware

Based on the activities performed by riskware, Figure 2 presents four categories of Riskware, which are summarized below.

Figure 2
  1. File Downloader: It downloads and installs malicious apps. These apps are programmed to exploit software vulnerabilities in the target device.
  2. Activity monitoring apps: These apps collect and store sensitive information such as personal information and phone data. These apps continuously monitor user behaviour for infiltration and are used to launch other attacks.
  3. Dialer programs: These programs execute calls and record the call history.
  4. Remote Support Utilities: These utilities connect to remote C & C servers for a dual functionality: First, they tend to transfer captured sensitive information to a remote server, and second, they receive instructions from a remote server to perform malicious activities on the compromised device.

Essential indicators to detect riskware on a smartphone:

A remarkable Android Riskware called WhatsApp Plus, launched in 2017, illustrates the dangers of Riskware. Once installed, this application displayed a message on an installed device indicating that the app was outdated and needed to be updated. Afterwards, the app provided a link to download and install the update.

It is clear that it is important to be aware of such dangers and threats to mobile devices. The following indicators help to detect the presence of Riskware malware on Android phones:

  • App-requested permissions: Always pay attention to what kind of permissions are requested by a newly installed app. For example, an image editing app needs permissions to access your camera, gallery, and files on the device, but the permissions of the device are at root level. Inappropriate request for unnecessary permissions serves as a compelling indicator to detect risky ware.
  • App Updates from Developers: All legitimate apps receive updates from the developer of this app; if an app no longer receives such updates, this is a clear warning signal.
  • Illegal downloads: When an installed app downloads content from the Internet, it can pose a risk by introducing software vulnerabilities and violations of the law.
  • Terms of service breach: If an app interferes with the execution of another app installed on the device, it violates the terms of use. No app can disable the functionality of another app; it is considered a breach of contract.

Technical features for the detection of riskware

Based on our research in a representative Android dataset called CCCS-CIC-AndMal-2020, there are certain technical characteristics that can be used to identify at-risk families.

  • Memory features: Storage functions define activities performed by malware by using memory.
  • Network features: Network features describe the data sent and received between other devices in the network. It indicates foreground and background network usage.
  • API functions: Application Programming Interface API functions outline the communication between two applications. For example, when a user surfs the Internet, checks the weather forecast, sets a timer, accesses Twitter on their phone, they’re using an Android API in the background.
  • Logcat functions: Logcat functions write log messages that correspond to a function executed by malware.

Delving deeper into riskware behaviour, significant changes in memory features contribute to significant behavioural changes when running risk wares samples. Although there are important changes in API, network and Logcat functions for risk wares families, these changes are small compared to the storage functions used by risk wares families.

Preventive measures to protect your device

Riskware protection is an uncertain concept. However, in order to avoid risk capital, the following preventive measures are very helpful:

  • Do not install apps that require unnecessary permissions on the device.
  • As a rule of thumb, download apps only from authorized sources. Avoid downloading apps from third-party sources.
  • Remove or uninstall apps that unnecessarily interfere with the functioning of other apps on the device.
  • Read terms of service before installing it. Most users don’t bother to do so as it looks strange to read so much content they don’t care about, but it is important for the security of the device.
  • Uninstall all untrusted apps that have not been authorized on the device.
  • Do not install any illegal or prohibited content on the device.


This article introduces the basics of the Riskware malware families. It is equipped with malicious features that are run by Riskware on the target device. Based on our public record of Android malware, called CCCS-CIC-AndMal-2020, we open ourselves to the activities of twenty-one notable Riskware families. We establish compelling compromise indicators indicating that the phone is infected by Riskware families. The article highlights technical features that can be used to detect Riskware on a smartphone. Finally, it introduces preventive measures to protect the device. The next article in the UAMF series will dig into adware that serves pop-up advertisements and backdoor that secretly exploits malware categories.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Gurdip Kaur and Arash Habibi Lashkari
Gurdip Kaur and Arash Habibi Lashkari
***Dr. Gurdip Kaur is a Risk Advisory Consultant at Deloitte Canada. She is a CompTIA certified CyberSecurity Analyst (CySA+) experienced in detecting and analyzing malicious network traffic. She is the author of the book titled “Understanding Cybersecurity Management in FinTech” published by Springer in 2021. She has also contributed to the “Understanding Android Malware Families (UAMF)” series to the IT World Canada this year. She has published several book chapters and research papers with reputed journals. She has contributed to three public cybersecurity datasets generated at the Canadian Institute for Cybersecurity, University of New Brunswick. She was awarded two gold medals in Bachelor of Technology and a silver medal for the research project on high interaction honeypots. Her research project on malware reverse engineering was selected among top 10 projects in the National Student Project Contest in 2015. She is strongly inclined towards cybersecurity, malware analysis, vulnerability management, incident reporting, and SIEM solutions. ***Dr. Arash Habibi Lashkari is an Associate Professor in Cybersecurity at York University and a senior member of the IEEE. Prior to this, he was an Associate Professor at the Faculty of Computer Science, University of New Brunswick (UNB), and research coordinator of the Canadian Institute for Cybersecurity (CIC). He has over 23 years of academic and industry experience. He has received 15 awards at international computer security competitions - including three gold awards - and was recognized as one of Canada’s Top 150 Researchers for 2017. He also is the author of ten published books and more than 100 academic articles on a variety of cybersecurity-related topics. In 2020, he was recognized with the prestigious Teaching Innovation Award for his personally-created teaching methodology, the Think-Que-Cussion Method. He is the author of 12 published books and more than 100 academic papers on various cybersecurity-related topics. He is the founder of the Understanding Cybersecurity Series (UCS), an ongoing research and development project culminating with a varied collection of online articles and blogs, published books, open-source packages, and datasets tailored for researchers and readers at all levels. His first two books in this series are entitled "Understanding Cybersecurity Management in FinTech - Challenges, Strategies, and Trends" and "Understanding Cybersecurity Law and Digital Privacy - A Common Law Perspective," published by Springer in 2021. The first online blog series of UCS entitled "Understanding Canadian Cybersecurity Laws", was recognized with a Gold Medal at the 2020 Canadian Online Publishing Awards (COPA). His research focuses on cyber threat modeling and detection, malware analysis, big data security, internet traffic analysis, and cybersecurity dataset generation.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight