Protection researchers have determined a malicious utility on Google Play that had over 500,000 downloads and become designed to advantage entire manage over Android devices.
The utility masqueraded as a guide for the famous Pokémon Move recreation and used more than one layers of obfuscation to pass Google Play’s malware detection mechanisms, researchers from Kaspersky Lab stated in a weblog publish.
The app incorporates a malicious module that does not execute right away. Alternatively, the app waits for any other software to be installed or uninstalled on the way to decide if it’s jogging on a actual device or in an emulated environment, just like the ones used to locate malware.
As soon as the app determines that it runs on a real device, it waits a similarly hours before executing the malicious module, which then connects to a remote server and sends facts approximately the device. The server can train the module to down load exploits for neighborhood privilege escalation vulnerabilities that had been determined in Android among 2012 and 2015.
Those are referred to as root exploits because they supply get entry to the highest privileged account on Android — the foundation account. In other words, successful exploitation will cause a full compromise of the device.
Google has launched patches for all of those vulnerabilities, but because of the fragmentation of the Android atmosphere, there are probable many gadgets obtainable that haven’t obtained all the updates.
This doesn’t imply that the five hundred,000 downloads constitute the wide variety of compromised gadgets. Android has nearby safety capabilities like Affirm Apps and SafetyNet which are mainly designed to stumble on and block recognised root exploits.
Kaspersky diagnosed over 6,000 a hit infections, commonly in Russia, India and Indonesia. “But, for the reason that app is orientated closer to English-talking users, people in such geographies, and extra, are also possibly to had been hit,” the Kaspersky researchers said.
The malicious “manual for Pokémon Pass” app was now not the only app within the Google Play keep that contained this Trojan module. Kaspersky located different such apps that have been in the shop at special instances when you consider that December 2015. Most of the older apps had around 10,000 downloads, however one called “Virtual Clock” had extra than 100,000 downloads.
Google has performed a quite excellent task at maintaining malware out of its professional app store over the past few years, however as this incident indicates, malicious packages can still slip via sometimes.