How to Create Your Own Android Trojan in 5 Easy Steps

It seems that every few weeks a new crop of malicious Android apps turns up in the market. Sometimes Google just removes them from the market; other times it uses the "kill switch" to disable already-downloaded apps from Android devices around the world.

Typically these threats are perfectly ordinary-looking apps. Like the Trojan Horse of legend, they enter your device freely, with your permission. Once installed they do something nasty. Some users are shocked that Google can remove stuff from your Android phone remotely. I'm more alarmed at the ridiculous ease with which malicious coders can create Trojans for Android.

At last week's Next@Norton event, Symantec researchers presented a dazzling array of information about the current state of mobile security and the mobile malware landscape. Eric Chien, Technical Director for Security Response, revealed the absurdly simple steps a malefactor uses to create a brand-new Trojan by creating one right in front of the audience. Don't worry; his sample app never left the room.

Here are the five simple steps Chien demonstrated:

One. Start by downloading a free app. You can choose any app at all, but of course you'll want to pick something that will draw plenty of downloads.

Two. The language compilers that create applications on your PC take textual source code and convert it into assembly language that the CPU can read and process. It's a one-way translation; there's no way to go from the final executable file back to the source code. Android apps are written in Java, though, and that means that you can decompile them back to the original source code using simple, easily-available tools. For the next step, decompile your target app.

Three. The third step is a little tricky. You'll need to obtain Java source code that does something nasty, like sending personal information from the device to a third party. For the demonstration, Chien used a known threat called Android.Geinimi.

Four. Adding the Trojan code is absurdly simple. You copy it into the folder containing the existing source code, make a small change in the manifest to run the Trojan code before the rest of the app, and edit the permissions to give the Trojanized app free access to the entire device. While you're at it, tweak the app's name. Chien added "FREE!" to the name for his demo.

Five. Compile the modified app and upload it to the market. You're done!

Of course, malicious apps don't last long in the Android Market. If you really want to spread a dangerous program, you're better off uploading it in China, where there is no official Android market. In fact, virtually all of the examples referenced in Chien's presentation surfaced in the free-for-all markets of China.

Not planning to do this yourself? Good! But I'm sure that like me you're shocked at how easily someone with bad intentions can create a brand new Android Trojan. It's time to look into mobile security for your Android device.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio