Researchers at security intelligence blog Trend Micro have discovered a new version of mobile malware “Godless” that targets devices running Android 5.1 Lollipop or earlier. Unfortunately, that means almost 90% of all Android devices used worldwide are vulnerable to the threat.
Godless is similar to an exploit kit, having multiple exploits, and uses an open-source rooting framework called android-rooting-tools. This is what the company had to say in its official statement regarding the newly found threat:
Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.
According to Trend Micro, upon gaining root privilege, the malware can then be remotely controlled to silently install unwanted software on the affected device, or even worse – to spy on the user.
Malicious apps using older versions of the Godless contain a local exploit binary, which uses exploit code from the android-rooting-tools framework. Once the app is downloaded, the malware waits until the affected device's screen is off to begin the rooting process. Once it's done, it then drops a payload as a system app in the form of an AES-encrypted file called “_image”. It cannot be easily removed.
Global distribution of affected devices
However, the new variant of Godless is “made to only fetch the exploit and the payload from a remote command and control (C&C) server.“ Experts believe that this is so that the malware can bypass security checks done by app stores such as Google Play.
Recommended Stories
We found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games. For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code.
The aforementioned app seems to have been removed from Google Play. Trend Micro goes on to warn:
We have also seen a large amount of clean apps on Google Play that has corresponding malicious versions – they share the same developer certificate – in the wild. The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior. Note that updating apps outside of Google Play is a violation of the store’s terms and conditions.
When downloading apps, regardless of their nature, you should always do a quick background check on the developer. It sounds tedious, we know, but it's a good idea nonetheless. Unknown new developers could be a source of malicious apps, Trend Micro warns. Dwonloading a trusted antivirus app might also be a good idea, as well as avoiding apps from untrusted sources.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: