Protection researchers have determined a malicious utility on Google Play that had over 500,000 downloads and was designed to take advantage of the entire management of Android devices.
The utility masqueraded as a guide for the famous Pokémon Move recreation and used more than one layer of obfuscation to pass Google Play’s malware detection mechanisms, researchers from Kaspersky Lab stated in a weblog publish. The app incorporates a malicious module that does not execute right away. Alternatively, the app waits for any other software to be installed or uninstalled on the way to decide if it’s jogging on an actual device or in an emulated environment, just like the ones used to locate malware.
When the app determines that it runs on an actual device, it waits a similar hour before executing the malicious module, connecting to a remote server, and sending facts about the device. The server can train the module to download exploits for neighborhood privilege escalation vulnerabilities determined in Android between 2012 and 2015. Those are called root exploits because they supply entry to the highest privileged account on Android — the foundation account.
In other words, successful exploitation will cause a complete compromise of the device. Google has launched patches for all of those vulnerabilities, but because of the fragmentation of the Android atmosphere, there are probably many gadgets obtainable that haven’t obtained all the updates. This doesn’t imply that the five hundred 000 downloads constitute the wide variety of compromised devices. Android has nearby safety capabilities like Affirm Apps and SafetyNet, mainly designed to stumble on and block recognized root exploits.
Kaspersky diagnosed over 6,000 hit infections, commonly in Russia, India, and Indonesia. “But, because the app is orientated closer to English-talking users, people in such geographies, and extra, are also possible to have been hit,” the Kaspersky researchers said. The malicious “manual for Pokémon Pass” app was now not the only one within Google Play that contained this Trojan module. Kaspersky located different apps in the shop in particular instances, considering December 2015. Most of the older apps had around 10,000 downloads. However, one called “Virtual Clock” had more than 100,000 downloads.
Google has performed quite well at keeping malware out of its professional app store over the past few years; however, as this incident indicates, malicious packages can still slip sometimes.