hack an Android phone remotely to the Stagefright bug making Billion users vulnerable.
Now, the latest is the 'Kemoge Malware' that has made its debut as an Adware on the Android mobile phones, allowing third-party app stores to fetch your device's information and take full control of it.
Security researchers from FireEye Labs have discovered that Kemoge malicious adware family is spreading in 20 countries around the globe. Also, the origin of the Adware's attack is suspected from China.
What is Kemoge?
The name given to the malicious Adware family is because of its command and control (C2) domain: aps.kemoge.net.
Kemoge is an Adware in the disguise of popular Apps; it has circulated in such numbers because it takes the name of popular apps and repackages them with the malicious code and make them available to the user.
They even use the same developer name, as used by the verified and clean apps on the official Play Store.
Some of the popular apps getting affected are:(Image)
- Talking Tom 3
- Assistive Touch
- WiFi Enhancer
How does Kemoge Work?
- The attacker sets up a genuine looking interface and uploads the apps to third-party app stores and plays smart by promoting the download links via websites and in-app advertisements.
- Some aggressive ad networks gaining root privilege can also automatically install the samples.
- Once activated on the device, Kemoge collects device information and uploads it to the ad server, then it slyly serves ads from the background.
- Victims get ad banners frequently regardless of the current activity as ads even pop-up when the user remains on the Android home screen.
"Initially Kemoge is just annoying, but it soon turns evil," said FireEye researchers.
Kemoge even Affects Rooted Devices
The malicious adware injects eight root exploits to root phones, targeting a wide range of device models.
Some of the exploits are compiled from open source projects whereas some come from the commercial tool "Root Dashi" (or "Root Master").
"After gaining root, it executes root.sh to obtain persistency," FireEye researchers said. "Afterwards, it implants the AndroidRTService.apk into /system partition as Launcher0928.apk -- the filename imitates the legit launcher system service. Moreover, the package name of this apk also looks like authentic services, e.g. com.facebook.qdservice.rp.provider and com.android.provider.setting."
Moreover, the malicious system service ( Launcher0928.apk) contacts aps.kemoge.net for commands.
How does Kemoge Evade Detection?
To evade detection, Kemoge communicates with the server at various time intervals. The malware runs malicious code briefly at the first launch or 24 hours after installation.
In each enquiry, Kemoge sends the data including phone's IMEI, IMSI, storage information, and installed app information to a remote third-party server.
After uploading the device's information, the malware asks commands from the server, which reverts with a command out of following three domains and the malicious system service executes it. The commands are:
- Uninstall designated applications
- Launch designated applications
- Download and Install applications from URLs given by server
FireEye researchers conducted their research on Nexus 7 running Android 4.3 (JellyBean). While experimenting, the server commanded the device, such that it uninstalled the legitimate apps and made the device filled with malicious codes.
How to Protect Against Kemoge?
Kemoge is a dangerous threat and to stay safe you are advised to:
- Never click on any suspicious links from emails, SMS, websites, or advertisements.
- Never install apps outside of the official App Store.
- Keep your Android devices up-to-date in order to avoid being rooted by public known vulnerabilities (Upgrading device to the latest version of OS provides some security but doesn't always guarantee protection).
- Uninstall the app showing Ads.
To know more about Kemoge, follow FireEye's official blog. Also, if you faced any such issues with your Android device, then identify the app supplying malicious Adware to you and let us know in the comment below.