There has been a recent surge in compromises of Android devices by what appears to be drive-by malware (similar to a computer virus) that is infecting Android smartphones and tablets. Little or no user action needed beyond simply clicking a link or visiting a compromised website, and there may be no clear indications that a device is compromised afterward. You need not fall for a scam or go to a site with a poor reputation to be a victim, some very high profile sites and advertising services have been compromised recently to spread this malware.
This is a particularly sophisticated piece of software that in theory could similarly be used to exploit iOS, MacOS, Windows, and other devices though at present it has only been confirmed on Android.
Prevention and Remediation:
Install antivirus software and scan your device
Since most information about this malware is still preliminary and incomplete, any precautions we recommend may not offer complete protection. Regardless, the best information at the present recommends the use of one of the following antivirus solutions – they are typically available free for personal use in the Google Play store (in alphabetical order, we’re not recommending any particular one of these solutions over another at this time):
• Avast! Mobile Security
• Lookout Mobile Security
• Sophos Security & Antivirus
The latest information at the time of this writing is that AVG and a number of other antivirus products do not yet have the ability to detect this malware, though we expect that to change soon.
In addition, go to Settings -> System Updates to check for any software updates for your device.
If an infection is found, we strongly urge you to change the passwords for any accounts that may be saved on the device. Other accounts using that same password may be compromised as well.
Since April 28th, a relatively small number of e-mail accounts have been compromised, but we were unable for quite some time to determine how those account credentials might have been exposed. In addition we’ve been consistently seeing one new compromised account every day or two. Compromised accounts are typically used to send a simple e-mail like the one below to between 40 and 50 recent contacts:
Washburn is not alone in seeing this. Washburn ITS staff have been working together with IT staff at other universities around the country who have been experiencing the same thing. Similar spam messages have been seen on commercial mail and chat services as well – Yahoo mail, Gmail, Hotmail/Outlook.com, Facebook, and Twitter to name a few.
While a full analysis of this malware is not yet available, we now know that these links were being used both to direct people to fake diet-pill websites and along the way Android devices were specifically targeted for compromise, infection, and exploitation.
We believe e-mail account credentials are being compromised as well if they have been saved in web browsers or applications on the compromised Android devices. There are also indications that if the same password is used on multiple accounts, other accounts using that same password may be compromised as well.
We’ll provide additional updates as they are available.