Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Android Adware Infects Devices in 20 Countries

Researchers at FireEye have been monitoring a malicious adware campaign that has affected the devices of Android users in more than 20 countries.

Researchers at FireEye have been monitoring a malicious adware campaign that has affected the devices of Android users in more than 20 countries.

The threat, dubbed by the security firm “Kemoge” based on the name of its command and control (C&C) domain aps.kemoge.net, is packaged with various popular Android apps, including browsers, calculators, games, device lockers and sharing tools.

These applications are uploaded to third-party app stores and promoted through in-app ads and download links posted on various websites. According to FireEye, the threat can also be installed automatically via aggressive advertising networks that can gain root privileges to the device.

Once installed on a smartphone, Kemoge collects information on the infected device and starts serving ads. The ads are displayed to victims regardless of their activities, even without any apps running.

While at this point Kemoge seems like just another piece of adware, FireEye has discovered that there’s more to it than simply displaying ads. The threat makes some changes to the system so that it’s automatically launched when the victim unlocks the screen or the network connectivity is changed.

Then, it looks for a ZIP file disguised as a harmless MP4 from which it extracts eight exploits designed to root phones. By using multiple root exploits, the malware can ensure that it’s capable of hacking a wide range of devices. Some of these exploits are publicly available as open source, while others have been obtained from a commercial tool dubbed “Root Master” (Root Dashi) that has been used in other similar campaigns.

Once it gains root privileges on the device, the threat uses another component to ensure persistence, after which it injects an APK into the system partition disguised as a legitimate system service.

This service contacts aps.kemoge.net and waits for commands from the attackers. In order to avoid detection, the service only contacts the server on the first launch and then only after 24 hours from the previous command.

Advertisement. Scroll to continue reading.

The attackers can send commands to uninstall a specified application, launch an app, or download and install apps from a provided URL. When observed by FireEye, the server had sent commands to uninstall antiviruses and popular applications.

The security company believes this malicious adware might be the creation of a developer from China. Experts made the assumption after discovering one of the malicious apps on Google Play. The version uploaded to Google Play, downloaded between 100,000 and 500,000 times, did not contain the root exploits or the C&C behavior, but it has been removed after the Internet giant was notified by FireEye.

Both the app hosted on Google Play and the malicious version were signed with the same certificate, which indicates that they come from the same developer. The name of the developer who uploaded the tool to Google Play, Zhang Long, and the third-party libraries he used in the app suggest that he is from China, FireEye said.

Experts spotted Kemoge infections in over 20 countries, including China, the United States, Russia, Saudi Arabia, Egypt, Malaysia, Indonesia, France, the United Kingdom, Poland and Peru.

This is not the only malicious adware family analyzed recently by FireEye. In September, the company published a report on a threat designed to allow attackers to complete take over Android devices. Experts determined at the time that a mobile app promotion company based in China might be behind the operation.

It’s worth noting that the Root Master exploits used by Kemoge were also spotted in this campaign, and experts believe someone from the Chinese mobile app promotion firm might be involved in the development of the exploits.

Related: CAPCHA-bypassing Android Malware Surfaces on Google Play

Related: Android Malware Possibly Infects 1 Million Devices via Google Play

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.