The Kaspersky Lab researchers recently have discovered a number of Android malware apps are abusing the Google Cloud Messaging Service (GCM) as Command and Control server. The GCM  service allows Android app developers to send messages using JSON Format for installed apps, but hackers exploited it for malicious Purposes.

Using Google Cloud Messaging Service (GCM) as Command and Control server for Android Malware is not a new concept, as last year Security researcher and Hacker 'Mohit Kumar' demonstrated 'Android Malware Engine' - One of the Most Sophisticated Android malware during Malcon conference.
The Kaspersky Lab researchers have detected at least five Different Android Trojans that used JSON format:
  1. 1. SMS.AndroidOS.FakeInst.a
  2. 2. SMS.AndroidOS.Agent.ao
  3. 3. SMS.AndroidOS.OpFake.a
  4. 4. Backdoor.AndroidOS.Maxit.a
  5. 5. SMS.AndroidOS.Agent.az.
The authors of the malware in Every case took advantage of Google Cloud Messaging Service to Exchange messages between C&C services and the malicious app. Once Gained a Google Cloud Messaging Service (GCM) ID, malware updates are distributed exploiting directly the Google cloud services and also any Command to the malicious agent is sent is exploiting the service and using JSON format.


Google Cloud Messaging Service (GCM) act as Command and Control server for the Trojans, which makes the malware updates as the official Updates via Google.

Furthermore, The execution of commands received from the Google Cloud Messaging Service GCM is performed by the GCM system and it is impossible to block them Directly on an infected device. The only way to cut this channel off From virus writers is to block developer accounts with IDs linked to the Registration of malicious programs.

SMS.AndroidOS.FakeInst.a Is the most diffused agent, according Kaspersky experts more than 4,800,000 installers have been detected and around 160000 attempted Installation was blocked in 2012.

It Can send text messages to premium numbers, delete incoming text Messages, generate shortcuts to malicious sites, and display Notifications advertising other malicious programs that are spread under The guise of useful applications or games” states the Kaspersky blog Post.

SMS.AndroidOS.Agent.ao is presented as a porn app and has the primary intent to send messages to premium numbers, meanwhile the SMS.AndroidOS.OpFake.a malware is the typical SMS malicious application of which have been detected also more than 1 million installers.

This last malware is also able to steal Sensitive information from the victim's handset such as contacts and it is also able to self-update its code, the agent appeared very active And was detected in 97 different countries, the majority in Russia and Eastern countries.

The Kaspersky team has blocked more than 60,000 Attempted installs, it sends several commands from both the GCM and its Own C&C servers such as:
  • Sending premium text messages to a specified number
  • Sending text messages
  • Performing self-updates
  • Stealing text messages
  • Deleting incoming text messages that meet the criteria set by the C&C
  • Theft of contacts
  • Replacing the C&C or GCM numbers
  • Stopping or restarting its operations
Backdoor.AndroidOS.Maxit trojan was very dated, first instance was detected in late 2011 and Appears to be continuously updated, today the experts counted more than 40 different variants most often in Malaysia, Thailand, the Philippines And Burma.

All of These modifications are very similar to one another,” “the app opens Websites with games, while malicious operations are executed in the Background.” It has been found most often in Malaysia, but also in Thailand, the Philippines and Burma.

"The The first thing the backdoor sets out to do is collect information about The phone and the SIM card, including the phone number and the mobile Provider. All of this data is uploaded to the androidproject.imaxter.net C&C. This is the server that manages all of the Trojan’s primaries Functions."

The Last trojan, SMS.AndroidOS.Agent.az., was detected for the first time in May 2012 and is a shell app for a Vietnamese porn website which is able Also to send text messages to a premium number.

The number of malware that exploits the Google Cloud Messaging Service is Destined to increase despite it is still relatively low, the data on Their diffusion demonstrated it. These malware are prevalent in Western Europe, the CIS, and Asia, virus writers know very well that execution Off commands received from GCM is performed by the Google Cloud Messaging Service system and it is impossible to block them directly on an Infected device.

Actually The only option for security experts is to block developer accounts With IDs linked to the registration of malicious applications.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.