A new malware has been discovered that targets devices running Android 5.1 Lollipop or earlier versions. Affecting over 850,000 devices worldwide, the malware leverages multiple rooting exploits earning itself the title of "Godless" malware.
Godless roots your Android device for you
Security researchers at Trend Micro recently discovered a new Android malware dubbed as Godless. Godless can target about 90 percent of Android devices, since only a very small fraction of Android devices is currently running on Marshmallow. "Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide," researchers said in a blog post.
Yep, this recently observed piece of malware has already affected a large number of devices using malicious apps as it can easily pass through the security checks of app stores, including Google's own Play Store. This news isn't the first of its kind as we have previously seen a number malware families that have exclusively targeted the operating system. Powering over a billion devices and thanks to its lack of security updates, Android is the platform of choice for malicious campaigns and phishing attacks.
How does Godless work
Godless uses an open-source rooting framework called "android-rooting-tools" to gain root access of devices. Working like an exploit kit, it uses several exploits to root various Android devices. After it achieves the root on a target device, Godless then receives remote instructions to surreptitiously download and install additional apps. These additional malicious applications can work as adware or spyware, displaying unwanted ads or compromising user data.
Security researchers also noted that Godless has evolved, from leveraging local exploits, the malware now performs rooting operations remotely. "Recently, we came across a new Godless variant that is made to only fetch the exploit and the payload from a remote command and control (C&C) server," Trend Micro said. "We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play."
This makes detection even more difficult as the apps change their behavior after they have been installed on a device. What this means is that once the app passes the security checks done by app stores, it can then fetch exploits remotely from its C&C server. Many clean apps on Google Play, including common flashlight and utility apps, were found to upgrade to their malicious versions without user knowing about it.
The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps' new malicious behavior.
Researchers have advised users to review developer history before downloading an app, as "unknown developers with very little or no background information may be the source of these malicious apps."