Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Android malware now abusing Google Cloud Messaging channel, Kaspersky reports

Sneaky commmand and control

Article comments

Android malware has started abusing the Google Cloud Messaging (GCM) normally used to push data to and from legitimate apps as a sneaky command and control channel, Kaspersky Lab has noticed.

Launched by Google in 2012, the free GCM service is now used by most Play Store apps for a variety of tasks including synchronisation, alerting the user, and even exchanging larger messages up to a maximum 4Kb in size.

A more recent update allows it to be used by the Chrome browser to communicate with apps, for instance allowing the same app on different devices to remain in synch.

It seems that malware writers have noticed GCM’s potential, including some of the most successful rogue apps targeting Android.

According to Kaspersky, a prime example is the rapacious and hugely successful toll fraud FakeInst.a, which the firm has blocked from installing 160,000 times, mostly in its Russian and Ukrainian heartland.

The GCM channel is crucial to its multi-purpose behaviour. Although it can generate shortcuts to malicious sites, delete messages and fire up adverts for other malware apps, it can also be instructed to send premium rate SMS texts when it receives the right command, Kaspersky said.

The same applies for, which also uses GCM to retrieve updates. Although less common, this app is noteworthy for mostly targeting UK Android users where the firm spotted install attempts on 6,000 occasions.

Possibly the most interesting of all is OpFake.a, 1 million installers for which have been detected by Kaspersky Lab. With the gamut of Android malware behaviours, including stealing data, its creators dovetail their own C&C channel with experimental use of the GCM, possibly as a backup.

“It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service,” said Kaspersky Lab’s Roman Unuchek.

“Even though the current number of malicious programs using GCM is still relatively low, some of them are widespread. These programs are prevalent in some countries in Western Europe, the CIS, and Asia.”

Android malware writers are probably experimenting with the GCN because it is currently much harder to block than conventional C&C, which uses hardcoded servers; it is also rapid by C&C standards.

As Kaspersky points out, blocking GCM as a back channel would require Google itself to nix the developer accounts used to generate legitimate GCN IDs; security apps would be unable to do this on their own.

What is already known is the dominance of Russian crimeware organisations over the mobile malware business with as few as 10 gangs believed ot control a large portion of the SMS toll fraud scams alone.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *