Security Alert: PushBot -- A Push-Based App Delivery Model Identified in the Wild
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Working in collaboration with NQ Mobile, our team
at NC State University discovered an interesting Android app, which implements a new app delivery model
different from the popular centralized marketplace-based model.
By typically embedding itself
in another host app or even in a custom phone firmware image, the app communicates with
its remote command and control (or C&C) servers or rather app distribution networks from time to time and
offers a number of (sponsored) apps for the user to download. In essence, where a traditional
app market (e.g., Google's Android Market) adopts a "pull" distribution method, i.e., the user goes and
actively finds something to download, the new model offers
market-like functionality in a "push" manner, i.e., sponsored apps are
proactively delivered to the user. The organizers of such app distribution networks can then derive
profit for each successful app offer or installation, in much the same
way an advertising network derives its revenue. To differentiate it from the current app delivery model, we name the new model as PushBot.
How it works?
We detected one PushBot example in a customized Android firmware image. Based on our anlayis, we found the PushBot
codebase is small and well structured. When it runs, it will periodically poll a C&C
server for a list of apps to offer. When new apps are published via this mechanism, PushBot offers
them to the user via Android's notification bar. When the user downloads an app, the
app is fetched from another server. Information is transmitted at each
step that allows PushBot's owners to track its effectiveness. The general
flow of information is shown below.
Internally, PushBot follows a very simple sequence of steps to carry out
its work.
- PushBot listens for two system events, BOOT_COMPLETED and
CONNECTIVITY_CHANGED, that signal either the device being turned on or
gaining network access.
- When either of these events are received, PushBot starts its core
service, which sends the phone's unique hardware identifier (IMEI) to its
C&C server. In return, the C&C server sends
back a set of apps currently being promoted as well as some additional
parameters for the client.
- PushBot then places a notification in the user's status bar. Clicking
on this notification brings up a gallery of apps being offered, similar in
substance to the Android Market. If the user elects to download an app, it
is downloaded from another server and stored in a temporary file.
- In the event that the download fails for whatever reason, PushBot will
keep trying to complete it.
- Once the app has been successfully downloaded, PushBot asks the user to
install it. The user must again agree to installation, as PushBot itself
does not have the extremely-exclusive permission to silently install apps.
- Android fires off an event once installation is complete. PushBot
listens for this event, and removes the app's downloaded temporary file.
At each stage, PushBot maintains information in its internal database
about the status of the apps it has installed. In this way, it is able to
remember where in the process each app is, even across system reboots or
shutdowns.
Mitigation:
While we don't consider PushBot itself malicious, the aggressive nature
of pushing down additional apps and abusive use of notification bar are
questionable and problematic. To avoid these apps, please follow common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Follow-ups:
- 2/16/2012: This article goes public.
Last modified: Feb 16, 2012