An adware campaign is hitting Android device users in over 20 countries, researchers said.
The threat, called “Kemoge” based on the name of its command and control (C&C) domain aps.kemoge.net, comes with Android apps, including browsers, calculators, games, device lockers and sharing tools, said researchers at FireEye.
These applications end up uploaded to third-party app stores and promoted through in-app ads and download links posted on websites. The malware can also end up installed automatically via aggressive advertising networks that can gain root privileges to the device, said researchers at FireEye in a blog post.
Once installed on a smartphone, Kemoge collects information on the infected device and starts serving ads. The ads end up displayed to victims regardless of their activities, even without any apps running.
FireEye said there is more to the malware than just displaying ads. It can also make changes to the system so it automatically starts up when the user unlocks the screen or network connectivity changes.
It looks for a ZIP file disguised as a MP4 from which it extracts eight exploits designed to root phones. By using multiple root exploits, the malware can ensure it can hack a wide range of devices. Some of these exploits are publicly available as open source, while others come from a commercial tool dubbed “Root Master” (Root Dashi) used in other similar campaigns.
Once it gains root privileges on the device, the threat uses another component to ensure persistence, after which it injects an APK into the system partition disguised as a legitimate system service.
This service contacts aps.kemoge.net and waits for commands from the attackers. In order to avoid detection, the service only contacts the server on the first launch and then only after 24 hours from the previous command.
Researchers found Kemoge infections in over 20 countries, including China, the United States, Russia, Saudi Arabia, Egypt, Malaysia, Indonesia, France, the United Kingdom, Poland and Peru.