For those unaware, Kemoge is a new malicious adware network found by FireEye Labs that will send sensitive device information back to a remote server, while simultaneously attempting to root your device several different ways, in an effort to achieve greater control over it.
Kemoge is named after the CnC domain, aps.kemoge.net. It was originally found hiding in repackaged apps like "Shareit", "WiFi Enhancer", "Assistive Touch", and other inconspicuous tools. While most of these apps have only been hosted on third party app stores with little to no security checks, there has been at least one instance of the malware existing on an app uploaded to the Play Store.
FireEye has confirmed that all infected applications have been uploaded under the same name, "Zhang Long". Google has since reacted accordingly, removing all (known) infected instances from the Play Store. The app that was successful in being placed on the market had all root components removed, although it did still contact the ad network from the remote server.
The previous image clearly describes just how the malware functions throughout it's life. At first, the malicious user uploads the infected application to a third party app store, and then promotes the app with ads and false reviews. Once the end user has been tricked into installing the app, the fun begins. Upon the first launch, Kemoge brazenly begins to mine and collect crucial device information. Then it all goes to hell:- forcefully displays ads in banners, pop ups, and other methods
- attempts to root the device with eight (yeah, eight!!) different public methods
- motochopper, the sock_diag kernel exploit, and several other root methods, some of which can be found in the commercial rooting tool, Root Dashi.
- if root succeeds, Kemoge will install an app called AndroidRTService.apk to /system, and renaming itself to launcher*installdate*.apk.
- from there, Kemoge will request a command from the server where it will recieve one of three instructions:
- Uninstall selected apps
- Install selected apps
- Download and install apps from the remote server
- According to FireEye, apps that Kemoge tries to uninstall are antivirus apps or popular apps that are legitimate, likely in an effort to assume greater control and new apps to infect.
In conclusion, Kemoge represents a significant threat to those users who are using third party app stores, and while less so to those who remain on the Play Store, should not be overlooked or dismissed at a glance. It is very important to protect yourself online, and even the most professional looking tools can be malicious. Due to this, users should always be cautious and aware of what they are installing.
Sources and references:
No comments:
Post a Comment