Here’s how it works:
According to the Lookout blog, GGTracker is a Trojan (a malicious program concealed within otherwise harmless software). Its creators lure unsuspecting Android users via ads that appear in other Android apps. So far, those ads have been touting free apps for optimizing your phone battery or adult content. But that could easily change, so consider any in-app ad for a free app as a possible malware lure.
When users click on the in-app ad, they’re taken to something that looks like the official Google Android Market — what you’d expect if you’re about to download an Android app. However, it’s really a website designed to look just like the Android Market.
Lookout has published a screen grab of the fake market, showing a URL in the browser’s location bar that is nothing like the real Android Market address — which is https://market.android.com/. However, linking to any Web page for an app download is a red flag in and of itself. Android users almost always access it through the Market app that comes standard on most Android phones, not through the mobile Web browser.
Note that the destination URL can and probably will change, as the malware creators stay on the move to avoid detection and legitimate Web hosts tend to shut down malicious sites quickly.
Once on that malicious Web page, users are prompted to download the advertised app by clicking a button that appears to be just like any download button for any Android app. The Trojan then begins to download.
The user is then prompted via a dialogue screen to click a notification and then install a specific file — again, a different process from installing an app from the Android Market, which should be a red flag.
In addition to installing the expected innocuous app, GGTracker also signs the user up for a premium SMS service — basically, a service that charges you money for each text message sent or received to interact with it. Tricking people into signing up for premium SMS is another top mobile security risk that can affect any mobile user on any type of phone. It’s a type of “cramming” — a practice the FCC is now moving to combat.
It’s unclear whether GGTracker conceals the sending and receipt of premium text messages. But Lookout says some of the services GGTracker signs victims up for charge up to $9.99
As sneaky as GGTracker is, it’s clearly targeting the novice or less tech-savvy Android user. This segment of the Android user base is growing fast, especially as more lower-cost Android phones and plans are starting to hit the market. Longtime or expert Android users would probably instantly recognize that much is awry with the process for getting these free apps, but novices might easily fall for it.
As Phandroid’s Chris Chavez wrote, “I know most people out there will say, ‘If you’re dumb enough to install an app from a webpage, blah, blah, blah … ‘ that doesn’t really take into account all the thousands of new Android users who may not be aware of how this stuff works (or that malware even exists on their phone).”
Although Android presents more malware risks than the iPhone or BlackBerry, it’s likely to be a popular first-time smartphone for people who aren’t very tech savvy because increasingly Android phones can be purchased at a reasonable cost and used without a two-year contract.
It’s similar to why Windows remains the most popular computer operating system, even though it’s one of the least secure. This is why I’ve said that Android is the Windows of mobile platforms — for better or worse.
For the record, I’m not trashing Android. I love my Android phone, and wouldn’t want to go back to the iPhone. But it’s a tool that should be handled with care.
How to protect yourself:
Lookout is touting its own “safe browsing” service to protect against this kind of threat. However, a more basic first step is this: If you use an Android phone, get accustomed to the process of downloading and installing known legitimate apps, such as those produced by big-name brands you trust.
Also, know the difference between the Android Market app and your mobile Web browser, which is another app on your phone. Be able to tell which you are using at any given time.
If you’re new to Android, go into your phone’s settings for applications and make sure “Unknown sources: Allow installation of non-market applications” is unchecked.
Installing apps that you get from other places is called “sideloading,” and it can be a very useful option. But for people who are new to Android or not yet comfortable with mobile technology, it’s better to learn the basics before venturing into advanced territory.
Also, as Lookout cautions: “Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS messages, strange charges on your phone bill or unusual network activity.”