Skip to content

The Communication Function of Malicious URLs

In last month's mobile review, we discussed the use of malicious URLs in attacks on mobile devices. Through the use of malicious URLs, cybercriminals are able to infiltrate your mobile device. We pointed out two motivations cybercriminals have for using them. First, malicious URLs make launching online attacks easier, and second, they allow cybercriminals to cover a wide target area comprising Internet-ready mobile devices.


Attack scenarios often involve social engineering techniques designed to trick mobile device users into clicking malicious URLs and downloading malicious Android application package (APK) files. Once these files are in place, your device's security is compromised.


Malicious URLs, as we've noted, are disease vectors. This means they are used by cybercriminals as a way to spread mobile malware. But this is not the sole purpose of malicious URLs. They can also be used to infiltrate your device and foster outbound communication.


Malicious APKs Phone Home


Not only do mobile malware like malicious downloaders and backdoors rely on malicious URLs to infiltrate your device, they also need them to send or request additional information required to perform specific functions. Almost 17% of the mobile malware we’ve found so far have malicious URLs embedded in them. As seen in Figure 1, 90% of those embedded URLs are categorized as "disease vectors."


Classification of Malicious URLs Embedded in Malicious Apps

Figure 1: The majority of malicious URLs embedded in malicious apps are categorized as "disease vectors."


Malicious downloaders use malicious URLs to download and install additional malicious files and components in your device. They request information and receive malicious packages in return.


Backdoors also take advantage of malicious URLs in the same way. Once installed in your device, they communicate with remote sites to acquire new scripts, which they can then parse and use.


In January this year, a backdoor used a malicious URL to download a script it needed to update the one currently running on the infected device. When the said script is integrated into the malware, the malware is able to avoid anti-malware detection. This new ability allows the backdoor to download a new variant of itself from a malicious URL. The same script also contains customized commands a remote attacker can execute. In this particular case, executing these commands causes a notification asking you to download other files to appear.


This example reveals that two-way communication between mobile malware installed in a device and malicious URLs is possible. Since attackers can now remotely ask you to download more malicious files onto your device, it's also likely that they can perform more intrusive or damaging tasks.


Another backdoor we detected earlier this year allows cybercriminals to execute commands like sending and deleting messages and making phone calls. These can result in unnecessary charges on your mobile phone bill. The backdoor also allows cybercriminals to send your contact list and GPS location to malicious domains.


A Lot to Lose


The relationship between mobile malware and malicious URLs is often overlooked. When they work together, they pose a serious threat to your device as well as your information and privacy. Any data you store in your mobile device will be ripe for the picking. Personal details, messages, and the like can be stolen and sold underground by cybercriminals.


Though it's advisable to double-check granted app permissions, you can't always be too sure of this safety practice. Cybercriminals are getting better in using social engineering. The limitations of mobile devices like having a small screen make it more difficult to determine malicious apps and URLs from safe ones.


The risk of mobile malware infection is greatly decreased though with the use of a security app. Even if traditional mobile security apps help alleviate threats by blocking the download and installation of malicious files, they don't completely eliminate the risks malicious URLs pose. Since malicious downloaders and backdoors use malicious URLs to function on your device, an app that relies on web reputation technology is recommendable.


If your mobile device is already infected by mobile malware before you even have the chance to install the appropriate security solution, it still isn't too late. Security apps that use web reputation technology can still stop communication between the mobile malware and the malicious URLs it tries to access.


See the hottest threats here


Connect with us on