Researchers at FireEye have been monitoring a malicious adware campaign that has affected the devices of Android users in more than 20 countries.
The threat, dubbed by the security firm “Kemoge” based on the name of its command and control (C&C) domain aps.kemoge.net, is packaged with various popular Android apps, including browsers, calculators, games, device lockers and sharing tools.
These applications are uploaded to third-party app stores and promoted through in-app ads and download links posted on various websites. According to FireEye, the threat can also be installed automatically via aggressive advertising networks that can gain root privileges to the device.
Once installed on a smartphone, Kemoge collects information on the infected device and starts serving ads. The ads are displayed to victims regardless of their activities, even without any apps running.
While at this point Kemoge seems like just another piece of adware, FireEye has discovered that there’s more to it than simply displaying ads. The threat makes some changes to the system so that it’s automatically launched when the victim unlocks the screen or the network connectivity is changed.
Then, it looks for a ZIP file disguised as a harmless MP4 from which it extracts eight exploits designed to root phones. By using multiple root exploits, the malware can ensure that it’s capable of hacking a wide range of devices. Some of these exploits are publicly available as open source, while others have been obtained from a commercial tool dubbed “Root Master” (Root Dashi) that has been used in other similar campaigns.
Once it gains root privileges on the device, the threat uses another component to ensure persistence, after which it injects an APK into the system partition disguised as a legitimate system service.
This service contacts aps.kemoge.net and waits for commands from the attackers. In order to avoid detection, the service only contacts the server on the first launch and then only after 24 hours from the previous command.
The attackers can send commands to uninstall a specified application, launch an app, or download and install apps from a provided URL. When observed by FireEye, the server had sent commands to uninstall antiviruses and popular applications.
The security company believes this malicious adware might be the creation of a developer from China. Experts made the assumption after discovering one of the malicious apps on Google Play. The version uploaded to Google Play, downloaded between 100,000 and 500,000 times, did not contain the root exploits or the C&C behavior, but it has been removed after the Internet giant was notified by FireEye.
Both the app hosted on Google Play and the malicious version were signed with the same certificate, which indicates that they come from the same developer. The name of the developer who uploaded the tool to Google Play, Zhang Long, and the third-party libraries he used in the app suggest that he is from China, FireEye said.
Experts spotted Kemoge infections in over 20 countries, including China, the United States, Russia, Saudi Arabia, Egypt, Malaysia, Indonesia, France, the United Kingdom, Poland and Peru.
This is not the only malicious adware family analyzed recently by FireEye. In September, the company published a report on a threat designed to allow attackers to complete take over Android devices. Experts determined at the time that a mobile app promotion company based in China might be behind the operation.
It’s worth noting that the Root Master exploits used by Kemoge were also spotted in this campaign, and experts believe someone from the Chinese mobile app promotion firm might be involved in the development of the exploits.