“Godless” malware can affect 90% of Android devices, installs unwanted apps
Researchers at security intelligence blog Trend Micro have discovered a new version of mobile malware “Godless” that targets devices running Android 5.1 Lollipop or earlier. Unfortunately, that means almost 90% of all Android devices used worldwide are vulnerable to the threat.
Godless is similar to an exploit kit, having multiple exploits, and uses an open-source rooting framework called android-rooting-tools. This is what the company had to say in its official statement regarding the newly found threat:
According to Trend Micro, upon gaining root privilege, the malware can then be remotely controlled to silently install unwanted software on the affected device, or even worse – to spy on the user.
Malicious apps using older versions of the Godless contain a local exploit binary, which uses exploit code from the android-rooting-tools framework. Once the app is downloaded, the malware waits until the affected device's screen is off to begin the rooting process. Once it's done, it then drops a payload as a system app in the form of an AES-encrypted file called “_image”. It cannot be easily removed.
However, the new variant of Godless is “made to only fetch the exploit and the payload from a remote command and control (C&C) server.“ Experts believe that this is so that the malware can bypass security checks done by app stores such as Google Play.
The aforementioned app seems to have been removed from Google Play.
Trend Micro goes on to warn:
When downloading apps, regardless of their nature, you should always do a quick background check on the developer. It sounds tedious, we know, but it's a good idea nonetheless. Unknown new developers could be a source of malicious apps, Trend Micro warns. Dwonloading a trusted antivirus app might also be a good idea, as well as avoiding apps from untrusted sources.
source: Trend Micro
Godless is similar to an exploit kit, having multiple exploits, and uses an open-source rooting framework called android-rooting-tools. This is what the company had to say in its official statement regarding the newly found threat:
Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.
Malicious apps using older versions of the Godless contain a local exploit binary, which uses exploit code from the android-rooting-tools framework. Once the app is downloaded, the malware waits until the affected device's screen is off to begin the rooting process. Once it's done, it then drops a payload as a system app in the form of an AES-encrypted file called “_image”. It cannot be easily removed.
Global distribution of affected devices
However, the new variant of Godless is “made to only fetch the exploit and the payload from a remote command and control (C&C) server.“ Experts believe that this is so that the malware can bypass security checks done by app stores such as Google Play.
We found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games. For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code.
We have also seen a large amount of clean apps on Google Play that has corresponding malicious versions – they share the same developer certificate – in the wild. The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior. Note that updating apps outside of Google Play is a violation of the store’s terms and conditions.
When downloading apps, regardless of their nature, you should always do a quick background check on the developer. It sounds tedious, we know, but it's a good idea nonetheless. Unknown new developers could be a source of malicious apps, Trend Micro warns. Dwonloading a trusted antivirus app might also be a good idea, as well as avoiding apps from untrusted sources.
source: Trend Micro
Things that are NOT allowed: