Kemoge Android Adware Campaign Can Lead to Device Takeover
Google has been busy removing a number of apps from Google Play that are disguised as popular selections that are actually pushing what starts out as adware but eventually turns more malicious.
Google has already yanked down a file-transfer app called ShareIt, developed by Zhang Long of China, who was posting benign versions of his app to Google Play, but hosting malicious versions on third-party sites. The Google Play version contacted the same command and control server as the malicious samples, but was stripped of eight root exploits that targeted either certain Android devices from different manufacturers, or certain kernel-level vulnerabilities.
FireEye uncovered the campaign, which is called Kemoge because its command and control domain is aps[.]kemoge[.]net. Researchers there said Kemoge has certain behaviors—one sample uninstalls antivirus protection on the device—that could lead to complete takeover of an Android device; FireEye said it has identified victims in 20 countries, some in critical industries including government agencies.
Some of the popular apps FireEye identified as having been repackaged with Kemoge include Smart Touch, Calculator, Talking Tom, Light Browser, Privacy Lock, Easy Locker and others including adult apps. The malware collects device information and sends it to the command and control server and then begins aggressively serving ads to the device, regardless of what the user is doing on the device; FireEye said ads are even served to the home screen. The eight root exploits are more worrisome because the attackers can use them to download, install and launch apps on the infected device.
“[The exploits] cover a large spectrum of devices, but the root exploits are not one-to-one mapping. Some of the root exploits are indeed device oriented, like motochopper is specially for Motorola devices, but some are general root, like the put_user exploit, which can root unpatched devices from Samsung, HTC, Motorola, etc,” said FireEye research scientist Yulong Zhang. “Such general root is not device specific but only related to certain vulnerable kernel versions.”
FireEye notified Google about the misbehaving apps in question and has begun removing them, including Zhang Long’s ShareIt app, which is typical of the Kemoge apps and has been downloaded at least 100,000 times.
“This app is developed by the same developer behind some of Kemoge samples, but stripped the root exploits. It contacted the same C2 but only downloaded advertisements so we don’t have direct evidence to prove its maliciousness. However, it has logic to upgrade itself and install other apps, so potentially it can still ‘turn bad’ if the C2 instructs it to do so,” FireEye’s Zhang said. “Moreover, based on many users’ comments, this Google Play app got propagated to their devices even if the users didn’t click install button from Google Play. This is an indicator that the developer might use this app for non-benign purpose — the developer not only put it on Google Play, but also tried to promote it via illegal channels (for example getting installed by other malware).”
Once on the device, Kemoge installs a number of components for persistence and root access. For example, it registers MyReceiver in the AndroidManifest which invokes another component called MyService, both of which are disguised as legitimate Google code because they include Google’s com.google component prefix. My Register, Zhang said, listens to signals from the device that the user has unlocked it and that it has finished booting; its purpose is persistence and to be launched whenever the user is active on the device. MyService, meanwhile, is launched by MyRegister and is a persistent daemon that monitors the user’s activities and contacts command and control for the malicious component called AndroidRTService.apk, as well as extracting root.sh, busybox, su, and the root exploits.
“These two components ensure that the device is persistently under control,” Zhang said, adding that the command and control server is still active.