Researchers have discovered a new class of mobile malware that has made its way into the Google Play store and is capable of completely compromising more than 90 percent of existing Android phones.
The malware, which researchers at Trend Micro are calling Godless, contains a number of exploits for known Android vulnerabilities, some of which are a couple of years old. The malware has already hit more than 850,000 devices, the researchers said, and it affects devices running on Android 5.1 or earlier.
“Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework calledandroid-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community,” Veo Zhang, a mobile threat analyst at Trend Micro, said in an analysis of the Godless malware.
The malware is being hidden inside apps in various mobile app stores, and once a user downloads and installs a compromised app, Godless will wait until the device’s screen is turned off before executing. It then installs a payload as a system app that is difficult to remove.
“In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users,” Zhang said.
The newest version of Godless includes a function that will wait until it’s installed on a new device and then contact a remote server and download the exploit and the payload. Zhang said this behavior is likely a method to avoid the security checks that Google has in its Play store to identify malicious apps. The Godless code is typically found in a variety of utility apps, such as a flashlight app.
“We have also seen a large amount of clean apps on Google Play that has corresponding malicious versions—they share the same developer certificate—in the wild. The versions on Google Play donot have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior,” Zhang said.
Th most recent versions of Godless, once they have root privileges, will install a backdoor that then is used to install other malicious apps.