Google Play Besieged with Wave of New Autorooting Malware

A new wave of autorooting malware is sweeping the Google Play store, including a new discovery, LevelDropper.

Lookout discovered the app last week, and noted the evidence of a new strain of malware: Put simply, it’s not possible for an application to download and install additional apps without user interaction, unless the app has root access to the package manager. So what Lookout observed points to LevelDropper having the capability to auto-root itself.

“The term ‘autorooting malware’ represents a classification of mobile malware that silently roots a device in order to perform actions only possible with more privileges,” the security firm said in a blog.

It added, “At first glance, LevelDropper seemed to be a simple app to use instead of a physical level from your toolbox, but upon deeper analysis, it turned out to conceal its malicious behavior. . . In this case, LevelDropper stealthily roots the device and goes on to install further applications—many of them—to the victim’s device.”

Shortly after running LevelDropper, new applications not previously installed on the phone slowly began to appear. The app never prompted the user to install the additional apps.

At first, only two additional apps are installed, but the amount increases the longer it runs. After about 30 minutes, Lookout researchers found 14 applications downloaded, without any user interaction. The malicious app also included additional APKs that make use of root privileges to display obtrusive ads in a way that is difficult to get around.

Although the malicious app must have root access in order to install apps silently, it’s stealthy about that fact.

“When we looked through the system directory, we didn’t see the typical indicators that a device is rooted,” the researchers said. “The only evidence we could uncover was the fact that the system partition was writable . . . other evidence appears to have been removed.”

LevelDropper is an indicator of a new trend in mobile malware, Lookout noted.

“In the recent past, we’ve seen a number of families that also automatically root a victim’s device, though these may be more sophisticated and persistent,” the researchers said. “For now, it seems like these apps are being used to drive ad revenues. In cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue.”

Photo © ymgerman/

What’s Hot on Infosecurity Magazine?