Riskware is defined as a legitimate program that presents potential risks to the security vulnerabilities on a device. Although it is a legitimate program, bad actors use Riskware to steal information from the device and redirect users to malicious websites or perform functions at the expense of device security.
Typically, Riskware is associated with attackers who hijack devices, gain unauthorized access to devices, collect sensitive information, and disrupt services with the intent to steal information for misuse.
These vulnerabilities can pose legal risks and infringements. This article reveals prominent Android families and provides in-depth insights into the functions, activities and communication processes used by attackers. Readers will gain insights into the dangers and indicators of when a smartphone has been infected by riskware. In addition, the article delves deeper into technical features that can detect riskware on a smartphone. Finally, some preventive measures to protect the device from high-risk goods families are presented.
The technical details in this article stem from our public Android malware dataset called CCCS-CIC-AndMal-2020, published by the Canadian Institute for Cybersecurity CIC in collaboration with Canadian Centre for Cyber Security CCCS.
Activities and behaviour of riskware families
This section describes the relevant features of Riskware families. Figure 1 presents twenty-one Riskware families that we analyzed for this article. The most popular Riskware families include mobilepay, metasploit, revmob, smspay, smsreg, and talkw.
Riskware families collect personal and phone information, send/receive SMSs, steal network information, connect to malicious websites, install malicious content on devices, show malicious advertisements, and modify system settings and files on the compromised device. Table 1 presents the activities performed by riskware families.
Table 1: Activities performed by Riskware families:
| Malware Family | Data | Media | Hardware | Actions | Internet | C&C | Anti-virus | Storage |
| AnyDown | I2, I4 | |||||||
| BadPac | H1, H2 | I1, I3 | | |||||
| Deng | D1 | H1, H2 | A1 | I2 | ||||
| Dnotua | A1 | I1, I3 | | | ||||
| Jiagu | | | ||||||
| Kingroot | D1, D5 | H1, H3 | A1 | I3 | ||||
| MobilePay | D2 | I3, I4 | | |||||
| Metasploit | A1 | | | |||||
| Nqshield | D3 | I4 | | |||||
| RemoteCode | I3 | |||||||
| RevMob | D1 | H1 | I1, I2, I3, I4 | | ||||
| Secneo | D2, D5 | M1, M2 | H1, H2 | A3 | I1, I3 | | ||
| SkyMobi | D1 | H1 | I3 | | ||||
| SmsPay | D5 | I4 | | |||||
| SmsReg | D5 | H1, H2 | I1, I4 | |||||
| Talkw | I2, I4 | | ||||||
| TenCentProtect | H1 | I1, I3 | | | ||||
| Tordow | D2, D5 | M1 | A2, A3 | I3 | | | ||
| Triada | D5 | H1 | A1 | | | |||
| Wapron | D1, D4 | I2, I4 | | |||||
| WiFiCrack | H2 | I1 | ||||||
| D1: Collect personal information (phone number, email address, app accounts) and browser history
D2: Collect user contacts D3: Send / receive spam emails D4: Steal banking credentials D5: Send / receive SMS M1: Make call / collect call history M2: Record audio / use microphone H1: Collect phone information (IMEI, ID, status) |
H2: Get location (GPS)
H3: Lock phone or change PIN A1: Ask for root privileges A2: Block / delete / use phone apps A3: Execute after phone reboot I1: Steal network information (WiFi, IP, DNS) I2: Access / redirect user to malicious websites I3: Install malicious apps I4: Show popup-ad, warnings, and notifications |
|||||||
The following observations derive from table 1:
Important activities of high-risk families fall into 4 categories: 1) Collection of sensitive personal and phone information 2) Interaction with hardware 3) connection to the Internet, and 4) access to storage settings on compromised devices.
Some Riskware families such as Metasploit, tencentprotect and tordow connect to the Command and control (C & C server to remotely receive instructions and report collected data to a remote server that controls the Riskware).
Riskware families steal network information from the victim’s device, access malicious websites, install malicious apps, and display pop-up ads, notifications, and warnings.
In addition, a significant change in behaviour is observed in all of the Riskware families mentioned below:
- Dnotua updates the message digest.
- Jiagu accesses the wakelock service to keep it awake.
- MobilePay Launches New Activities and Brings the message digest.
- SmsReg is one of the largest families of Riskware, which mainly executes database queries.
- Triada uses the SIM serial number to access cryptographic keys. WiFiCrack also accesses encryption keys.
Further analysis of similar families of Riskware compared to other Android malware families shows that Riskware families closely resemble some families of Adware and Trojan malware.
Types of riskware
Based on the activities performed by riskware, Figure 2 presents four categories of Riskware, which are summarized below.
- File Downloader: It downloads and installs malicious apps. These apps are programmed to exploit software vulnerabilities in the target device.
- Activity monitoring apps: These apps collect and store sensitive information such as personal information and phone data. These apps continuously monitor user behaviour for infiltration and are used to launch other attacks.
- Dialer programs: These programs execute calls and record the call history.
- Remote Support Utilities: These utilities connect to remote C & C servers for a dual functionality: First, they tend to transfer captured sensitive information to a remote server, and second, they receive instructions from a remote server to perform malicious activities on the compromised device.
Essential indicators to detect riskware on a smartphone:
A remarkable Android Riskware called WhatsApp Plus, launched in 2017, illustrates the dangers of Riskware. Once installed, this application displayed a message on an installed device indicating that the app was outdated and needed to be updated. Afterwards, the app provided a link to download and install the update.
It is clear that it is important to be aware of such dangers and threats to mobile devices. The following indicators help to detect the presence of Riskware malware on Android phones:
- App-requested permissions: Always pay attention to what kind of permissions are requested by a newly installed app. For example, an image editing app needs permissions to access your camera, gallery, and files on the device, but the permissions of the device are at root level. Inappropriate request for unnecessary permissions serves as a compelling indicator to detect risky ware.
- App Updates from Developers: All legitimate apps receive updates from the developer of this app; if an app no longer receives such updates, this is a clear warning signal.
- Illegal downloads: When an installed app downloads content from the Internet, it can pose a risk by introducing software vulnerabilities and violations of the law.
- Terms of service breach: If an app interferes with the execution of another app installed on the device, it violates the terms of use. No app can disable the functionality of another app; it is considered a breach of contract.
Technical features for the detection of riskware
Based on our research in a representative Android dataset called CCCS-CIC-AndMal-2020, there are certain technical characteristics that can be used to identify at-risk families.
- Memory features: Storage functions define activities performed by malware by using memory.
- Network features: Network features describe the data sent and received between other devices in the network. It indicates foreground and background network usage.
- API functions: Application Programming Interface API functions outline the communication between two applications. For example, when a user surfs the Internet, checks the weather forecast, sets a timer, accesses Twitter on their phone, they’re using an Android API in the background.
- Logcat functions: Logcat functions write log messages that correspond to a function executed by malware.
Delving deeper into riskware behaviour, significant changes in memory features contribute to significant behavioural changes when running risk wares samples. Although there are important changes in API, network and Logcat functions for risk wares families, these changes are small compared to the storage functions used by risk wares families.
Preventive measures to protect your device
Riskware protection is an uncertain concept. However, in order to avoid risk capital, the following preventive measures are very helpful:
- Do not install apps that require unnecessary permissions on the device.
- As a rule of thumb, download apps only from authorized sources. Avoid downloading apps from third-party sources.
- Remove or uninstall apps that unnecessarily interfere with the functioning of other apps on the device.
- Read terms of service before installing it. Most users don’t bother to do so as it looks strange to read so much content they don’t care about, but it is important for the security of the device.
- Uninstall all untrusted apps that have not been authorized on the device.
- Do not install any illegal or prohibited content on the device.
Conclusion
This article introduces the basics of the Riskware malware families. It is equipped with malicious features that are run by Riskware on the target device. Based on our public record of Android malware, called CCCS-CIC-AndMal-2020, we open ourselves to the activities of twenty-one notable Riskware families. We establish compelling compromise indicators indicating that the phone is infected by Riskware families. The article highlights technical features that can be used to detect Riskware on a smartphone. Finally, it introduces preventive measures to protect the device. The next article in the UAMF series will dig into adware that serves pop-up advertisements and backdoor that secretly exploits malware categories.