Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Malware Developed in Kotlin Programming Language Found in Google Play

Security researchers at Trend Micro have discovered a malicious application in Google Play that was developed using the Kotlin programming language.

Security researchers at Trend Micro have discovered a malicious application in Google Play that was developed using the Kotlin programming language.

Detected as ANDROIDOS_BKOTKLIND.HRX, the malicious program was masquerading as Swift Cleaner, a utility designed to clean and optimize Android devices. The application had between 1,000 and 5,000 installs when discovered.

Kotlin, a first-class language for writing Android apps, was announced in May 2017. Coming from Google, it is open source and is already used by 17% of Android Studio projects. Some of the top applications to use the programming language include Twitter, Pinterest, and Netflix.

Developers using Kotlin can deliver safer applications, due to avoiding entire classes of errors, and can also ensure their software is interoperable by taking advantage of existing libraries for JVM, Android, and the browser. What’s yet uncertain is how malware developers can leverage the programming language when building nefarious code.

The discovered malicious application, Trend Micro says, can engage into a broad range of nefarious activities, including remote command execution. It is also capable of stealing users’ information, sending SMS messages, forwarding URLs, and performing click ad fraud. Furthermore, it has been designed to sign up users for premium SMS subscription services without their permission.

When first launched, the malware sends device information to a remote server and starts a background service to receive tasks from the command and control (C&C) server. Upon the initial infection, the malware also sends a message to a specified number provided by the C&C.

Upon receiving SMS commands, the remote server starts executing URL forwarding and click ad fraud operations on the infected device.

During the click ad fraud routine, the malware uses Wireless Application Protocol (WAP), a technical standard for accessing information over a mobile wireless network. Next, malicious JavaScript code is injected and regular expressions are replaced, so that the malicious actors can parse the ads’ HTML code in a specific search string.

Advertisement. Scroll to continue reading.

“Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server,” Trend Micro explains.

The malicious program can send information on the service provider, login data, and CAPTCHA images to the C&C server. Once such information is uploaded, the C&C server automatically processes a premium SMS service subscription, which can cost the victim money.

To stay protected from such threats, both end users and enterprise customers are advised to install and maintain a security solution on their devices.

According to Trend Micro, Google was informed on the security risk the Swift Cleaner application poses and the company verified that Google Play Protect can keep users safe from this malware family.

Related: Golduck Malware Infects Classic Android Games

Related: Android Malware Exploits Recently Patched ‘Toast’ Flaw

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.