Another day, another concern about mobile malware. This time from something called Kemoge Adware. From iOS to Android, neither of the OSs are free from the scourge that is malware. While common malware avoidance practices should keep you free from picking up one of these nasty buggers, that doesn’t change the fact they’re out there lurking. Today, it appears that Android may have another malware issue on its hands.
Kemoge comes in the form of Adware on Android devices and will allow the possibility of third-party app stores to fetch your device’s information, while also having the ability to take full control of your device. This was found by researchers from FireEye Labs. They discovered the malicious adware family of Kemoge has been pushing through 20 countries around the world with a suspected origin of China.
So what is Kemoge exactly? The name is derived from its command and control (C2) domain aps.kemoge.net. It’s an adware that disguises itself as popular apps. It takes the name of these popular apps, repackages them with a little bit of malicious code and then makes them available for the users. They even sport the same developer name of those who have been verified as having clean apps in the Play Store. Some affected apps include:
- Talking Tom 3
- Assistive Touch
- WiFi Enhancer
Basically it goes down in that the attacker sets up an interface that appears genuine. It then uploads those infected apps to third-party app stores, followed by download link promotions via web sites and in-app advertisements. Some of the more aggressive ad networks that have root privileges can automatically install these samples. Once activated, Kemoge then collects a user’s device information, uploads it to an ad server, then sends out ads from the background. Users are then subject to ad banners frequently via pop up, regardless of what the user is doing.'Initially Kemoge is just annoying, but it soon turns evil,' said FireEye researchers.Click To Tweet
“Initially Kemoge is just annoying, but it soon turns evil,” said FireEye researchers.
Root users are also subject to being infected as the adware is capable of injecting eight different root exploits to rooted phones. Some of these have been complied by open source projects like Root Dashi, or Root Master. According to researchers:
“After gaining root, it executes root.sh to obtain persistency,” they said. “Afterwards, it implants the AndroidRTService.apk into /system partition as Launcher0928.apk — the filename imitates the legit launcher system service. Moreover, the package name of this apk also looks like authentic services, e.g. com.facebook.qdservice.rp.provider and com.android.provider.setting.”
That system service, Launcher0928.apk, contacts aps.kemoge.net for commands. According to researchers, Kemoge is very good at evading detection. It communicates with the ad servers at various intervals of time. Then runs the malicious code briefly at first launch, or within 24 hours after that. When it does, it sends the phone’s IMEI, IMSI, storage information and a list of installed apps to a remote third-party server. Once the information is uploaded, the malware asks for commands from said server, which then reverts with one of three command and then the system service executes it. The three commands are:
- Uninstall designated applications
- Launch designated applications
- Download and Install applications from URLs given by server
Research was conducted on a Nexus 7 tablet running Android 4.3. In their experience, FireEye researchers found the server commanded the device into uninstalling a legitimate app, and reinstalling the malicious app.
Of course, it’s not all doom and gloom. As always there are a number of ways of protecting yourself from being infected. They include never clicking on suspicious links in texts, advertisements, web sites, emails and so on. You also want to make sure you get your apps from the official app stores. Keeping your device current as far as system updates are concerned is important, too.
FireEye has a wealth of information on Kemoge on its official blog, which can be found by hitting the source link below.