Another Android Adware Adventure

AdDisplay is a new malware program discovered earlier this month by researchers at ESET Security. It was found hiding in several "cheat" apps, pretending to offer cheat codes for unlimited coins in games like Subway Surfer or Pou. AdDisplay works by serving up ads to the user aggressively and making uninstallation of the app difficult. This particular example is rather sneaky; it performs a WHOIS lookup in order to find out if it is being run in Bouncer.

Bouncer is a security measure created by Google that actively scans apps that are uploaded to the Play Store, and apps that are already being hosted. Bouncer actively compares apps to previous definitions of malware to find any red flags within the app. Unfortunately, just like any other tool, Bouncer is not flawless. Bouncer can be "fingerprinted," and malicious apps can perform certain evasive measures to ensure that they will not be identified. There are several commonly employed methods to avoid detection, such as waiting for commands from a CnC server before injecting the malicious content, waiting a predetermined number of hours before any ads or attacks are placed, or even comparing the environment to a database of known Bouncer identifiers or qualities.

This new adware is a little different though, as stated above. On first launch, the app will gather the network information about the device (by way of the android.permission.INTERNET and android,permission.ACCESS_NETWORK_STATE permissions), and then perform a WHOIS IP lookup on the contracted information. If the WHOIS returns any string with "Google", the application will carry on, business as usual. If not, it assumes that it's being run on a users device, and starts to deal out ads. AdDisplay will also "prompt" the user to enable setting X, while creating an overlay over the "Grant Device Administrator" page within settings, tricking you into granting admin rights, and making removal a little more difficult.

*

ESET has already informed Google of this, and Google has promptly removed the offending applications. This is just another example of why you should always know what you're installing, and should avoid applications that ask for unnecessary permissions, have several reviews questioning the authenticity of the app, and should always keep a cautious eye when searching for new software.

* Image courtesy of this article.

The Kemoge Adware Network

Kemoge seems like a great topic for my first post, so here goes.

For those unaware, Kemoge is a new malicious adware network found by FireEye Labs that will send sensitive device information back to a remote server, while simultaneously attempting to root your device several different ways, in an effort to achieve greater control over it.

Kemoge is named after the CnC domain, aps.kemoge.net. It was originally found hiding in repackaged apps like "Shareit", "WiFi Enhancer", "Assistive Touch", and other inconspicuous tools. While most of these apps have only been hosted on third party app stores with little to no security checks, there has been at least one instance of the malware existing on an app uploaded to the Play Store.

FireEye has confirmed that all infected applications have been uploaded under the same name, "Zhang Long". Google has since reacted accordingly, removing all (known) infected instances from the Play Store. The app that was successful in being placed on the market had all root components removed, although it did still contact the ad network from the remote server. 

The previous image clearly describes just how the malware functions throughout it's life. At first, the malicious user uploads the infected application to a third party app store, and then promotes the app with ads and false reviews. Once the end user has been tricked into installing the app, the fun begins. Upon the first launch, Kemoge brazenly begins to mine and collect crucial device information. Then it all goes to hell:

• forcefully displays ads in banners, pop ups, and other methods
• attempts to root the device with eight (yeah, eight!!) different public methods
• motochopper, the sock_diag kernel exploit, and several other root methods, some of which can be found in the commercial rooting tool, Root Dashi.
• if root succeeds, Kemoge will install an app called AndroidRTService.apk to /system, and renaming itself to launcher*installdate*.apk.
• from there, Kemoge will request a command from the server where it will recieve one of three instructions:
• Uninstall selected apps
• Install selected apps
• Download and install apps from the remote server
• According to FireEye, apps that Kemoge tries to uninstall are antivirus apps or popular apps that are legitimate, likely in an effort to assume greater control and new apps to infect.

In conclusion, Kemoge represents a significant threat to those users who are using third party app stores, and while less so to those who remain on the Play Store, should not be overlooked or dismissed at a glance. It is very important to protect yourself online, and even the most professional looking tools can be malicious. Due to this, users should always be cautious and aware of what they are installing.

Sources and references:

https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html

http://thehackernews.com/2015/10/android-malware-root.html

Introduction

How's it going everyone? This is a small blog I'm going to be maintaining for the foreseeable future. It is meant to be a place where I can record and share my knowledge on Android, its security and functionality, and various other things within the mobile world. I will be covering everything from root access to SELinux, and maybe even delve into TrustZone a little bit later on. I plan on being as technical as I can throughout the life of the blog, and I hope to learn a lot more as I go along.

The blog will be updated once a week, or really just whenever I feel confident enough in a topic that I can write an entire blog post on it. See ya next time.