Cybersecurity company discovers invasive mobile app malware

By Joe Longo

A new report, published by Fidelis Cybersecurity found invasive malware secretly attached to mobile applications downloaded to Android devices. Known as JSocket, this virus attaches itself to otherwise legitimate applications and goes undetected to the average user.

University of Illinois Computer Science Lecturer John Bambenek works for Fidelis Cybersecurity and helped to produce the report. He notes JSocket binds itself to Android devices specifically through the Google Play Store.

“There are basically two ways to do it. One you bind it to a legitimate application and put it on the Google Play Store, or you otherwise trick the user to install it around the Play Store. Install in app from an unverified source,” Bambenek said.

JSocket is the latest in a line of Remote Access Tools (RATs) that take over camera, GPS and audio capabilities on mobile device.

Get The Daily Illini in your inbox!

  • Catch the latest on University of Illinois news, sports, and more. Delivered every weekday.
  • Stay up to date on all things Illini sports. Delivered every Monday.
Thank you for subscribing!

Unlike most malwares, JSocket is high commercialized. Through jsocket.org, one can subscribe for $25 a month to become an operator. For Bambenek, there are no seemingly beneficial traits of the application. A parent trying to track their child’s phone has better outlets than JSocket.

Thus, there are 700 known operates, Bambenek said.

JSocket received notable coverage recently after the malware was detected on slain Argentine prosecutor, Alberto Nisman’s, phone. Though the government cited the death as a suicide, much speculation surrounds the timeliness of his death occurring days after filing a report that suggested President Cristina Fernandez’s was involved in a 1994 Iranian bombing of a Jewish community center. Bambenek noted the claim is under criminal investigation and the report itself has been turned over to law enforcement.

Notably, JSocket can only bind to the Android operating system. Chief Communications Officer for Technology Services Brian Mertz notes Apple closely reviews submissions to the app store.

“[This] really does make it tougher to sneak a piece of malware into an iPhone,” Bambenek said.

Because it is much easier to submit an app to the Google Play Store, it is a lot easier for malware to be spread through Android devices.

Yet Mertz also contributes an increasingly sophisticated approach to malware production as resulting in the rise of mobile viruses. He credits an approach to running undetected without slowdown to performance.

“Years ago, if you had a few bad viruses, you would notice you computer grinding to a halt [and] stuff crashing all the time,” Mertz said. “The virus writers have gotten a lot smarter to make sure that virus can sit undetected. If it is there to collect information like passwords or banking accounts, they really don’t want it to be found at any point.”

If the malware if detected on an Android phone, deleting the corrupted application will remove the virus.

“If you found a specific application is trojanized, deleting the application will remove the malware. It is inherently tied to the application itself,” Bambenek said. “That is not necessarily the case with other forms of mobile malware.

Mertz encourages students to take advantage of University’s free antivirus software available to students and reach out to Technology Services for help combating malware.

[email protected]

TWEET: A University professor helped produce a report that uncovered a virus that secretly attaches to mobile applications on Android devices.