Security Alert: PushBot -- A Push-Based App Delivery Model Identified in the Wild

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Working in collaboration with NQ Mobile, our team at NC State University discovered an interesting Android app, which implements a new app delivery model different from the popular centralized marketplace-based model. By typically embedding itself in another host app or even in a custom phone firmware image, the app communicates with its remote command and control (or C&C) servers or rather app distribution networks from time to time and offers a number of (sponsored) apps for the user to download. In essence, where a traditional app market (e.g., Google's Android Market) adopts a "pull" distribution method, i.e., the user goes and actively finds something to download, the new model offers market-like functionality in a "push" manner, i.e., sponsored apps are proactively delivered to the user. The organizers of such app distribution networks can then derive profit for each successful app offer or installation, in much the same way an advertising network derives its revenue. To differentiate it from the current app delivery model, we name the new model as PushBot.

How it works?

We detected one PushBot example in a customized Android firmware image. Based on our anlayis, we found the PushBot codebase is small and well structured. When it runs, it will periodically poll a C&C server for a list of apps to offer. When new apps are published via this mechanism, PushBot offers them to the user via Android's notification bar. When the user downloads an app, the app is fetched from another server. Information is transmitted at each step that allows PushBot's owners to track its effectiveness. The general flow of information is shown below.



PushBot Architecture

Internally, PushBot follows a very simple sequence of steps to carry out its work.



PushBot State Machine

At each stage, PushBot maintains information in its internal database about the status of the apps it has installed. In this way, it is able to remember where in the process each app is, even across system reboots or shutdowns.

Mitigation:

While we don't consider PushBot itself malicious, the aggressive nature of pushing down additional apps and abusive use of notification bar are questionable and problematic. To avoid these apps, please follow common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: Feb 16, 2012