According to a press release that arrived today, entitled "Kaspersky Lab identifies first targeted attack utilising malware for Android devices", it marks the "first serious wave of targeted attacks using Android malware" but just how worrying is that really?
The PR company sending the release were at pains to point out that "this latest discovery is perhaps the first serious wave of targeted attacks using Android malware in-the-wild against Tibetan and Uyghur activists" and that "the malware secretly reports the infection to a command-and-control server. After that, it begins to harvest information stored on the device". The stolen data including contacts as stored on the phone and any associated SIM card, call logs, SMS messages, geolocation data, phone handset data such as phone number, OS version, phone model and SDK version. The release itself starts by stating how this is a similar attack style as others aimed at Uyghur and Tibetan activists, but targeting mobile devices instead of DOC, XLS or PDF documents exploiting zero-days for Windows computers and Macs.
It all sounds very serious stuff indeed, especially when you read statements such as "the Android malware used in the new attack steals private data from infected smartphones, including the address book and messaging history, and sends it to a command and control server. This attack is believed to be the first of this kind utilising fully functional Android malware and specifically targeting mobile devices of potential victims". But if you can get past the hyperbole and start digesting the facts in a rational manner, then you discover something rather interesting. The 'attack' itself started with an email account belonging to a 'high-profile' Tibetan activist being hacked, and that hacked account being used to send phishing emails out to his contacts.
This is important as it reveals this is not really a 'first of the kind' anything, but rather just the same old same leveraging of trust within the social engineering security vector. Sure, it uses an infected .APK file for Android users but, as with all mobile malware, it relies upon the naivety of the user to make the decision to open that file which installs the malware. Sure, the software itself is a "fully featured Trojan aimed at stealing private data from a targeted group of victims" as Kaspersky Lab states, but the same statement immediately points out that "the attackers have so far used social engineering to trick the victims into installing the app". If you don't click on the install button, if you don't click on the link, if you don't open unexpected attachments from even 'trusted' sources without validating them first, then this 'highly targeted' and 'first of a kind' attack won't impact you. Simple as.
Full information regarding the malware can be found here and is probably worth a read if you are into your Android development as it's quite technical and interesting.