June 25, 2016

Beware! New ‘GODLESS’ Mobile Malware Targets 90% Of Android Devices, Installs Unwanted Apps

Do you know that widely used mobile operating system ‘Android‘ is prone to malware? Researchers at Trend Micro, a cybersecurity firm headquartered in Japan, have discovered a family of mobile malware called “GODLESS” that can virtually target any Smartphone running on Android 5.1 (Lollipop) or earlier. Unfortunately, that means almost 90% of all Android devices used worldwide are vulnerable to the threat.

Malicious apps related to this threat can be found in prominent app stores, including Google Play, as reported by Trend Micro. Detected as ANDROIDOS_GODLESS.HRX, the malware has already affected over 850,000 devices around the world with almost half of these devices in India alone.

India captures the highest share of affected devices at 46%, followed by Indonesia and Thailand at around 10% each.

Godless - Global Malware Distribution

How does GODLESS work?

The malware works by using a framework called “android-rooting-tools”. It hides inside an app and exploits the root of the operating system (OS) on your phone. This creates admin access to a device, allowing un-authorized apps to be installed.

The website reported, “Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools. It contains various exploits to ensure it can root a device and it can even install spyware.”

Rooting takes place Remotely instead of happening Locally:

Once a malicious app is installed on your phone, the malware waits for the phone screen to off before proceeding with the rooting process;

code for malware exploitation while screen off

After it successfully roots the device, it then drops a payload as a system app that cannot easily be removed. The payload is an AES-encrypted file called __image.

code for malware exploitation while screen off

Recently, we came across a new Godless variant that is made to only fetch the exploit and the payload from a remote command and control (C&C) server, hxxp://market[.]moboplay[.]com/softs[.]ashx. We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play.

google play plyload

payload godless download

exploiting malware payload remotely


Why is GODLESS so deadly?

The website report claims, “By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. Almost 90 percent of Android devices globally currently run on affected versions.”

A newer variant can also bypass security checks at app stores such as Google Play. Once the malware has finished its rooting, it can be tricky to uninstall.

Some of the things Godless can do are to download unwanted apps without the user’s knowledge, display malicious ads, and spy on users.

Trend Micro has also found various apps in Google Play that contain the malicious code. The apps that have this new malware range from utility apps (flashlights and Wi-Fi apps) to copies of popular games. Some apps are clean but have a corresponding malicious version that shares the same developer certificate. The danger there is that users install the clean app which then upgrades to the malicious version without their knowledge.

GODLESS’ Mobile Malware Targets 90% Of Android Devices

Download only ‘Certified Apps’ to stay away from such Malware:

“When downloading apps, regardless if it’s a utility tool or a popular game, users should always review the developer. Unknown developers with very little or no background information may be the source of these malicious apps. It’s also best to download apps from trusted stores such as Google Play and Amazon. Users should also have secure mobile security that can mitigate mobile malware,” Country Manager of Trend Micro, said.

About the author 


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}