New 'Godless' Malware Targets Android Mobile Devices

New 'Godless' Malware Targets Android Mobile Devices

ANDroid users have reason to fear “Godless," a new family of malware targeting Android mobile devices that has been detected by digital security firm Trend Micro, the company said yesterday. The malware, named after the ANDROIDOS_GODLESS.HRX filename it uses, uses multiple exploits to root users’ devices.

Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier," according to Veo Zhang, mobile threats analyst at Trend Micro. “As of this writing, almost 90 percent of Android devices run on affected versions,” Zhang wrote in a blog post yesterday. “Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.”

Bypassing Security Checks

According to Trend Micro, Godless is similar to an exploit kit. Both use a type of open source rooting framework called android-rooting-tools. Zhang said that the framework has various exploits in its arsenal that it can use to root a number of different Android-based devices. The two most prominent vulnerabilities targeted by the rooting kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit).

By gaining root privilege, Godless can connect to a command-and-control (C&C) server capable of delivering remote instructions that force the device to download and install additional apps without the user’s knowledge. At best, a user receives unwanted apps on the phones. At worst, the same technique can be used to install a backdoor or spy on the user.

Zhang said that a hacker can use that capability to design a malicious app containing a local exploit binary to fetch the payload from the C&C server, allowing the malicious app itself to pass security checks performed by app stores such as Google Play.

Hidden in Flashlight Apps

“We found various apps in Google Play that contain this malicious code,” Zhang said. “The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games.”

In addition, a large number of clean apps on Google Play have corresponding versions that are malicious. While the versions on Google Play do not contain the malicious code, Zhang said the risk to users is that they could potentially be upgraded to the malicious versions without knowing about the apps’ new malicious behaviors.

Trend Micro said it has alerted Google about the threat, and the company has taken appropriate actions. Users should be sure to review the developers listed for apps whenever they download new programs from any app store. They should be suspicious about unknown developers. All apps should also be downloaded from trusted stores such as Google or Amazon, Trend Micro said.