New variants of Android malware called Android.Lockscreen are now being used by cyber criminals to successfully compromise Android devices by posing as alternative Android launcher, says Symantec Corporation, an Internet security company.
The new variants use a new technique by declaring their main activity as part of the launcher category to get around the auto-start restrictions incorporated into Android 3.1 and all later versions.
Android had earlier implemented a protection mechanism, containing a feature that blocks silent auto-start capabilities through broadcast receivers. This is intended to prevent malware from taking advantage of the ability to silently and automatically start without any front-end activities. By default, all applications are in a stopped state when they have been installed, but not yet launched.
This means that the Android OS will not allow applications to be launched automatically, unless they have been run by the user at least once, to prevent attackers from using malware that starts automatically.
Symantec says after Android implemented this protection mechanism, attackers began using social engineering tactics to get users to launch malicious applications so they could continue to run. More recently, attackers began using a new method that doesn’t rely on the same old social engineering tricks to make sure their malware runs on infected Android devices.
“The new Lockscreen variants act as part of the launcher category so that when a user presses the home button, the threat’s main component will be listed as an alternative to Android’s default launcher application. The malware is given a deceptive name to make it more likely the user will trigger it indirectly,” Symantec explains.
Symantec further explains that when the threat is installed on a user’s device, the malicious application is not immediately executed. It then manages to get a trigger point through the launcher with the name ‘Android’.
“In this specific instance, the malware has chosen the name ‘Android’ for two reasons: firstly, since the launchers are listed alphabetically the malware will be listed above Android’s default launcher (named ‘Launcher’), secondly, the name ‘Android’ may make some users believe the launcher is legitimate and part of the Android OS,” the company says.
The internet security company thus suggests that users can prevent the malware from running by carefully selecting the default Android launcher, or any other legitimate launcher that they may have installed, instead of the alternative launcher that is shown on the list after pressing the home button. It also says Android users should choose “Always” instead of “Just Once” to the default launcher so that the malicious app will not even come up as an option or alternative launcher.
Symantec further makes the following recommendation to Android users as best practices to stay protected from mobile threats:
- Keep your software up to date
- Do not download apps from unfamiliar sites
- Only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, to protect your device and data
- Make frequent backups of important data
Symantec Corporation is a cyber security company that helps organizations, governments and people secure their important data wherever it lives. The company has a global community of more than 50 million people and families relying on its suite of products for protection across their devices.