Riskware is defined as a legitimate program that presents potential risks to the security vulnerabilities on a device. Although it is a legitimate program, bad actors use Riskware to steal information from the device and redirect users to malicious websites or perform functions at the expense of device security.

Typically, Riskware is associated with attackers who hijack devices, gain unauthorized access to devices, collect sensitive information, and disrupt services with the intent to steal information for misuse.

These vulnerabilities can pose legal risks and infringements. This article reveals prominent Android families and provides in-depth insights into the functions, activities and communication processes used by attackers. Readers will gain insights into the dangers and indicators of when a smartphone has been infected by riskware. In addition, the article delves deeper into technical features that can detect riskware on a smartphone. Finally, some preventive measures to protect the device from high-risk goods families are presented.

The technical details in this article stem from our public Android malware dataset called CCCS-CIC-AndMal-2020, published by the Canadian Institute for Cybersecurity CIC in collaboration with Canadian Centre for Cyber Security CCCS.

Activities and behaviour of riskware families

This section describes the relevant features of Riskware families. Figure 1 presents twenty-one Riskware families that we analyzed for this article. The most popular Riskware families include mobilepay, metasploit, revmob, smspay, smsreg, and talkw.

Riskware Families
Figure 1: Riskware Families

Riskware families collect personal and phone information, send/receive SMSs, steal network information, connect to malicious websites, install malicious content on devices, show malicious advertisements, and modify system settings and files on the compromised device. Table 1 presents the activities performed by riskware families.

Table 1: Activities performed by Riskware families:
Malware Family Data Media Hardware Actions Internet C&C Anti-virus Storage
AnyDown I2, I4
BadPac H1, H2 I1, I3
Deng D1 H1, H2 A1 I2
Dnotua A1 I1, I3
Jiagu
Kingroot D1, D5 H1, H3 A1 I3
MobilePay D2 I3, I4
Metasploit A1
Nqshield D3 I4
RemoteCode I3
RevMob D1 H1 I1, I2, I3, I4
Secneo D2, D5 M1, M2 H1, H2 A3 I1, I3
SkyMobi D1 H1 I3
SmsPay D5 I4
SmsReg D5 H1, H2 I1, I4
Talkw I2, I4
TenCentProtect H1 I1, I3
Tordow D2, D5 M1 A2, A3 I3
Triada D5 H1 A1
Wapron D1, D4 I2, I4
WiFiCrack H2 I1
D1: Collect personal information (phone number, email address, app accounts) and browser history

D2: Collect user contacts 

D3: Send / receive spam emails

D4: Steal banking credentials

D5: Send / receive SMS

M1: Make call / collect call history

M2: Record audio / use microphone

H1: Collect phone information (IMEI, ID, status)

H2: Get location (GPS)

H3: Lock phone or change PIN

A1: Ask for root privileges

A2: Block / delete / use phone apps

A3: Execute after phone reboot

I1: Steal network information (WiFi, IP, DNS)

I2: Access / redirect user to malicious websites

I3: Install malicious apps

I4: Show popup-ad, warnings, and notifications 

 

The following observations derive from table 1:

Important activities of high-risk families fall into 4 categories: 1) Collection of sensitive personal and phone information 2) Interaction with hardware 3) connection to the Internet, and 4) access to storage settings on compromised devices.

Some Riskware families such as Metasploit, tencentprotect and tordow connect to the Command and control (C & C server to remotely receive instructions and report collected data to a remote server that controls the Riskware).

Riskware families steal network information from the victim’s device, access malicious websites, install malicious apps, and display pop-up ads, notifications, and warnings.

In addition, a significant change in behaviour is observed in all of the Riskware families mentioned below:

  • Dnotua updates the message digest.
  • Jiagu accesses the wakelock service to keep it awake.
  • MobilePay Launches New Activities and Brings the message digest.
  • SmsReg is one of the largest families of Riskware, which mainly executes database queries.
  • Triada uses the SIM serial number to access cryptographic keys. WiFiCrack also accesses encryption keys.

Further analysis of similar families of Riskware compared to other Android malware families shows that Riskware families closely resemble some families of Adware and Trojan malware.

Types of riskware

Based on the activities performed by riskware, Figure 2 presents four categories of Riskware, which are summarized below.

Types of riskware
Figure 2: Types of riskware
  1. File Downloader: It downloads and installs malicious apps. These apps are programmed to exploit software vulnerabilities in the target device.
  2. Activity monitoring apps: These apps collect and store sensitive information such as personal information and phone data. These apps continuously monitor user behaviour for infiltration and are used to launch other attacks.
  3. Dialer programs: These programs execute calls and record the call history.
  4. Remote Support Utilities: These utilities connect to remote C & C servers for a dual functionality: First, they tend to transfer captured sensitive information to a remote server, and second, they receive instructions from a remote server to perform malicious activities on the compromised device.

Essential indicators to detect riskware on a smartphone:

A remarkable Android Riskware called WhatsApp Plus, launched in 2017, illustrates the dangers of Riskware. Once installed, this application displayed a message on an installed device indicating that the app was outdated and needed to be updated. Afterwards, the app provided a link to download and install the update.

It is clear that it is important to be aware of such dangers and threats to mobile devices. The following indicators help to detect the presence of Riskware malware on Android phones:

  • App-requested permissions: Always pay attention to what kind of permissions are requested by a newly installed app. For example, an image editing app needs permissions to access your camera, gallery, and files on the device, but the permissions of the device are at root level. Inappropriate request for unnecessary permissions serves as a compelling indicator to detect risky ware.
  • App Updates from Developers: All legitimate apps receive updates from the developer of this app; if an app no longer receives such updates, this is a clear warning signal.
  • Illegal downloads: When an installed app downloads content from the Internet, it can pose a risk by introducing software vulnerabilities and violations of the law.
  • Terms of service breach: If an app interferes with the execution of another app installed on the device, it violates the terms of use. No app can disable the functionality of another app; it is considered a breach of contract.

Technical features for the detection of riskware

Based on our research in a representative Android dataset called CCCS-CIC-AndMal-2020, there are certain technical characteristics that can be used to identify at-risk families.

  • Memory features: Storage functions define activities performed by malware by using memory.
  • Network features: Network features describe the data sent and received between other devices in the network. It indicates foreground and background network usage.
  • API functions: Application Programming Interface API functions outline the communication between two applications. For example, when a user surfs the Internet, checks the weather forecast, sets a timer, accesses Twitter on their phone, they’re using an Android API in the background.
  • Logcat functions: Logcat functions write log messages that correspond to a function executed by malware.

Delving deeper into riskware behaviour, significant changes in memory features contribute to significant behavioural changes when running risk wares samples. Although there are important changes in API, network and Logcat functions for risk wares families, these changes are small compared to the storage functions used by risk wares families.

Preventive measures to protect your device

Riskware protection is an uncertain concept. However, in order to avoid risk capital, the following preventive measures are very helpful:

  • Do not install apps that require unnecessary permissions on the device.
  • As a rule of thumb, download apps only from authorized sources. Avoid downloading apps from third-party sources.
  • Remove or uninstall apps that unnecessarily interfere with the functioning of other apps on the device.
  • Read terms of service before installing it. Most users don’t bother to do so as it looks strange to read so much content they don’t care about, but it is important for the security of the device.
  • Uninstall all untrusted apps that have not been authorized on the device.
  • Do not install any illegal or prohibited content on the device.

Conclusion

This article introduces the basics of the Riskware malware families. It is equipped with malicious features that are run by Riskware on the target device. Based on our public record of Android malware, called CCCS-CIC-AndMal-2020, we open ourselves to the activities of twenty-one notable Riskware families. We establish compelling compromise indicators indicating that the phone is infected by Riskware families. The article highlights technical features that can be used to detect Riskware on a smartphone. Finally, it introduces preventive measures to protect the device. The next article in the UAMF series will dig into adware that serves pop-up advertisements and backdoor that secretly exploits malware categories.

Would you recommend this article?

+2
0
Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Previous articleIs the NFT boom a bubble or bust?
Next articleWomen founders lead innovation in the retail sector
Gurdip Kaur and Arash Habibi Lashkari
***Dr. Gurdip Kaur is a postdoctoral fellow at the Faculty of Computer Science, University of New Brunswick (UNB). She is CompTIA certified CyberSecurity Analyst (CySA+) and a gold medalist in Bachelor of Technology from Punjab Technical University, India. She was awarded silver medal for the project titled "Implementation and deployment of High Interaction honeypot for research purpose" by National Defense and Research Forum, India in 2013. Her research project on malware reverse engineering was selected among top 10 projects in the National Student Project Contest 2015 in India. She is strongly inclined towards cybersecurity, malware analysis, reverse engineering, vulnerability management, incident reporting, and data science. ***Dr. Arash Habibi Lashkari is an assistant professor at the Faculty of Computer Science, University of New Brunswick (UNB) and research coordinator of the Canadian Institute for Cybersecurity (CIC). He has more than 22 years of academic and industry experience developing technology that detects and protects against cyberattacks, malware and the dark web. Dr. Lashkari has been awarded 3 gold medals as well as 12 silver and bronze medals in international computer security competitions around the world. In 2017, he was selected as one of the top 150 researchers who will shape the future of Canada and he won the Runner up Cybersecurity Academic Award of the year at ICSIC conference in Canada. He is the author of 10 books in English and Persian on topics including cryptography, network security, and mobile communication as well as over 90 journals and conference papers concerning various aspects of computer security. His research focuses on cybersecurity, big data security analysis, Internet Traffic Analysis and the detection of malware and cyber-attacks as well as generating cybersecurity datasets.