“Godless” malware can affect 90% of Android devices, installs unwanted apps

“Godless” malware can affect 90% of Android devices, installs unwanted apps
Researchers at security intelligence blog Trend Micro have discovered a new version of mobile malware “Godless” that targets devices running Android 5.1 Lollipop or earlier. Unfortunately, that means almost 90% of all Android devices used worldwide are vulnerable to the threat.

Godless is similar to an exploit kit, having multiple exploits, and uses an open-source rooting framework called android-rooting-tools. This is what the company had to say in its official statement regarding the newly found threat:

According to Trend Micro, upon gaining root privilege, the malware can then be remotely controlled to silently install unwanted software on the affected device, or even worse – to spy on the user.

Malicious apps using older versions of the Godless contain a local exploit binary, which uses exploit code from the android-rooting-tools framework. Once the app is downloaded, the malware waits until the affected device's screen is off to begin the rooting process. Once it's done, it then drops a payload as a system app in the form of an AES-encrypted file called “_image”. It cannot be easily removed.

However, the new variant of Godless is “made to only fetch the exploit and the payload from a remote command and control (C&C) server.“ Experts believe that this is so that the malware can bypass security checks done by app stores such as Google Play.

The aforementioned app seems to have been removed from Google Play. Trend Micro goes on to warn:

When downloading apps, regardless of their nature, you should always do a quick background check on the developer. It sounds tedious, we know, but it's a good idea nonetheless. Unknown new developers could be a source of malicious apps, Trend Micro warns. Dwonloading a trusted antivirus app might also be a good idea, as well as avoiding apps from untrusted sources.

source: Trend Micro



1. LetsBeHonest

Posts: 1548; Member since: Jun 04, 2013

When an OS become tooo popular with open hearted nature then it'll also become popular for hackers/threats...

6. LetsBeHonest

Posts: 1548; Member since: Jun 04, 2013

One of my friend had a similar situation recently (don't know if is the same). He was using Chinese entry level gionee(don't know the model number). He downloaded & installed something from somewhere (stupid thing to do) and then it started downloading unwanted apps whenever the phone gets connected to internet. Mostly adult sexy apps. He tried hard resetting the phone but it wasn't helpful until he thrown it toward a wall and screen broke :) (intentionally). In his case it was his fault downloading apps from third party sources but the article says it can be get affected even from playstore which is a bit scarrrryyy.

10. mahima

Posts: 729; Member since: Nov 20, 2014

same 'adult content' thing happen to my friends lava phone, whenever she took out her phone, she always covered it with the other hand...hard reset does not help...i don't know how she got though...

32. LetsBeHonest

Posts: 1548; Member since: Jun 04, 2013

I googled it and found some Android antiviruses are capable of finding such malwares. But couldn't try it out. He broke the phone in to pieces by the time.

45. krystian

Posts: 423; Member since: Mar 16, 2016

Seriously... it happened on my windows mobile phone.... all this porn ended up on my Sdcard.... man that is some ummm weird stuff.. Going to have to show the wife this article cuz she was mad.

53. AlikMalix unregistered

Android and windoes phones users are so lucky - they can use this article and many others as an excuse why there's "questionable media" on their phone. Us iOS users do t have the luxury of having our devices do stuff on their own without users consent or input. (Just trolling a little). But your post made me laugh.

54. Scott93274

Posts: 6033; Member since: Aug 06, 2013

Sigh... I'm stuck with Android N already.... I have no excuses. :P It's all good, trolling in moderation is acceptable. Carry on. :D

55. TheOracle1

Posts: 2260; Member since: May 04, 2015

Yeah and if you try to do anything to your Crappel it'll brick itself and you'll have to beg your masters at Cupertino to fix it for about $300. No thanks. (Just trolling) But your post made me laugh. ;-)

25. marorun

Posts: 5029; Member since: Mar 30, 2015

Its not in play store anymore and been removed. If you use third party store or side loading its your own fault. Play store like app store from apple remove those malicious app when found and actively search for them. there also an option since kitkat thats make it possible for play store to uninstall those app automatically from your phone when they detect them.

56. Unordinary unregistered

Ok let's start allowing excuses.

4. submar

Posts: 713; Member since: Sep 19, 2014

Nothing is perfect. -said Mxy

47. aegislash

Posts: 1495; Member since: Jan 27, 2015

I feel like they'd say something more along the lines of 'Things like this don't happen on iOS.'

8. legiloca

Posts: 1676; Member since: Nov 11, 2014

Damn.. :(

13. AdamLeonard

Posts: 61; Member since: Aug 24, 2011

Your title is clickbait. You know you wrote it in such a way that makes it sound like 90% of Android devices have been affected which you know people will wrongly interpret as "90% of Android devices have been Godless malware installed!" You could have easily said "90% of Android devices are vulnerable to 'Godless malware'". I only clicked the bait to write this criticism.

14. ibend

Posts: 6747; Member since: Sep 30, 2014

yeah right.. the article said "has affected over 850,000 devices worldwide" and somehow it turned into "malware affects 90% of Android devices" for title, lol..

33. marorun

Posts: 5029; Member since: Mar 30, 2015

850,000 out of billions of device its quite small. As usual iphonearena at its best.

15. AstronautJones

Posts: 305; Member since: Aug 01, 2012

BS trolling by Phonearena. Change the title

40. Mxyzptlk unregistered

Or poor security from Android? Don't like it when Android has security issues.

20. TheOracle1

Posts: 2260; Member since: May 04, 2015

iPhonearena strikes again. I wasn't aware that only One Million Android devices had been sold worldwide! I mean if 90% of Android devices are affected and 850,000 have been infected, then approximately 1,000,000 Android devices are in existence. I was certain there were more than that but grateful to iPhonearena for clearing things up.

22. Scott93274

Posts: 6033; Member since: Aug 06, 2013

Latest reports suggest that Marshmallow has made its way onto 10% of Android phones, This issue impacts Android devices running on versions of Android Lollipop and earlier thus 90%. "Godless targets devices running Android 5.1 Lollipop or earlier" It says "targets", it doesn't say infected. So it infects less than 1% world wide, 0.01% thus far in the US. There's nothing wrong with Phone Arena's article, just your reading comprehension.

23. jellmoo

Posts: 2585; Member since: Oct 31, 2011

The title says "Affects" though, not "Targets". It's misleading since the word indicates that 90% of Android devices are affected by the malware. The wording could definitely be better: "“Godless” malware could potential affect 90% of Android devices..." "“Godless” malware could infect up to 90% of Android devices..." “90% of Android handsets are at risk of being infected by Godless” malware..." The wording chosen is clickbaity since it implies that handsets are already infected.

28. Scott93274

Posts: 6033; Member since: Aug 06, 2013

Good point, the title is misleading.

49. TheOracle1

Posts: 2260; Member since: May 04, 2015

And thus my tongue in cheek post. Before you question someone else's reading comprehension I suggest you take a long look at your own first. Once again iPhonearena has changed the title of the article. This is the second time in a week they've had to do it.

36. marorun

Posts: 5029; Member since: Mar 30, 2015

the title say goldless malware affect 90% of android devices. So the tittle is wrong. Stop apologizing for iphonearena plz.

24. KingSam

Posts: 1448; Member since: Mar 13, 2016

I'm on marshmallow :D

29. Loubielou

Posts: 603; Member since: Jul 11, 2012

Thats the only trouble with the Android software,you can go onto sites to download applications,but then you get annoying alerts saying your phone as got a virus or there something draining your battery,some will trust this news then lose there phone,Google should be doing something to improve the security on Android to stop this happening more to stop sites offering Android applications

37. marorun

Posts: 5029; Member since: Mar 30, 2015

Well dont click the option : accept untrusted sources. Its easy. Its like real life if you dont want to get attacked you sont wear 100000$ of gold and go in a poor sector of a city right? Dont want to get aids then your choose partners carefully and protect yourself right? PA dont say but android anti virus like AVG detect godless malware so another way to protect your ass is to use it. Do you leave your home door unlock when you go out for 1 week? Man ppl need to wake up.


Posts: 652; Member since: Jun 28, 2014

Glad I run CM13 because aside from the vast performance increase over stock firmware, I also get the monthly security patch.

66. Sabres

Posts: 26; Member since: Jun 15, 2016

Yeah, that's true. Happened with my Samsung Galaxy Tab 2 which was running Jelly Bean. But, I don't use it anymore so I tried resetting it but the virus was there even after the reset. I m lucky that I don't use it. It had all porny stuff in it after the virus. I'm glad I bought a Huawei phone a year ago. Huawei has a very very strict setting on it's EMUI which can't be changed even if we root it. Huawei phone running emui 3.1 and above won't be effected as the phone always informs the user when an installation is gonna take place. It doesn't allow any app to be installed until or unless the user taps yes. And on Marshmallow, even if we install an app, no permission is accepted until or unless the user goes to the settings and permits the app.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.