Autorooting, Overlay Malware Are Rising Android Threats

Written by

The mobile threat landscape continued to evolve in the second quarter of 2016, with a growing concern among enterprises around new breeds of mobile threats: autorooting and overlay malware.

According to the Appthority Enterprise Mobile Threat Team, despite app vetting processes that include basic security checks, both Apple and Google have been challenged by app developers circumventing security protocols to introduce malware via apps that are vetted for and available in the Apple App Store and the Google Play Store.

For instance, Godless was discovered by Trend Micro over the summer. It has a set of rooting exploits in its pockets which can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of late June, almost 90% of Android devices were running on affected versions. LevelDropper, another app with autorooting malware was discovered on Google Play by Lookout a week later. It’s a utility app that features a digital version of a handyman’s level. It roots Android devices and enables remote installation of applications without the user’s knowledge or approval. After just 30 minutes, 14 applications had been downloaded without any user interaction, according to researchers.

Researchers suspect that the motives behind autorooting are at least partially to increase ad revenue and perceived app popularity. Additionally, the creators were careful to disguise the rooting actions to prevent them from being detected by Google's Bouncer, a security system used to scan apps before allowing them on the Play Store. The apps don’t show typical signs in the system directory that it has rooted the device, but rather stealthily leverages rooting exploits already available in the wild, according to Appthority’s report.

Meanwhile also in June, FireEye discovered overlay malware that was used to steal credentials for mobile banking and messaging apps. Overlay malware is a type of mobile malware that is designed to mimic the look and feel of a target app.

According to the researchers, “After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device. When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app. The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors.”

Appthority noted that the overlay technique is becoming increasingly popular among attackers because it is very effective: It is difficult for users to distinguish the overlay screen from the real app which allows the bad actors to harvest a large number of credentials quickly. Duped users clicked over 160,000 times on the 28 shortened URLs FireEye monitored.

Appthority warned that the existing vetting processes don’t typically pick up on these kinds of apps, so user education and mobile security are essential for enterprise users.

“The current app store review processes do not analyze apps with an enterprise use case in mind,” the report noted. “Thus, they routinely allow apps with security vulnerabilities—such as transmitting credentials in clear text or sharing data with unauthorized cloud storage providers and other third parties—into their app stores.”

It added, “For these reasons, enterprises still need to comprehensively monitor and prevent threats using solutions that detect not only known malware, but also precursors that indicate malicious potential behavior.”

Photo © Bloomua/

What’s hot on Infosecurity Magazine?