Security researchers have spotted a new piece of malicious Android adware in the wild, affecting users worldwide, which enables attackers to completely take over an infected device.
FireEye is named ‘Kemoge’ after its command and control domain: aps.kemoge.net.
Victims have been identified in over 20 countries including the US, UK and much of south-east Asia.
It propagates by disguising itself as a popular legitimate app such as Calculator, Wi-Fi Enhancer or Smart Touch and hiding on third party app stores, FireEye said in a blog post.
The attackers then promote the malicious app via download links in websites and in-app ads.
Some ad networks with root privileges can also automatically install Kemoge, the firm said.
Initially it appears to be fairly innocuous, if irritating, adware—collecting device information, uploading it to a C&C server and then passively serving up ads.
However, the adware then turns “evil,” according to FireEye.
“It registers MyReceiver in the AndroidManifest to automatically launch when the user unlocks the device screen or the network connectivity changes. MyReceiver then invokes MyService; both are disguised as Google’s code (prefixed with com.google.rp.confirm),” FireEye explained.
“After launching, MyService looks for an asset called .mp4, where can be bg, info or hello. The mp4 extension conceals that the asset is actually a ZIP file with multiple levels of encryption.”
Kemoge decrypts and unzips the file to extract malware carrying as many as eight root exploits designed to root a wide variety of Android device models.
The malware then seeks to gain persistence on the device and hide its activity by only communicating with the C&C intermittently.
During tests, the malware tried to uninstall AV software on the device and popular legitimate apps, “possibly preparing for further attacks.”
The security firm advised users not to click on suspicious links in emails, texts, ads and on websites; not to install apps outside the official app store; and keep Android devices updated so they can’t be rooted via publicly known bugs.
“This is another malicious adware family, possibly written by Chinese developers or controlled by Chinese hackers, spreading on a global scale that represents a significant threat,” it concluded.