There is an app in Google Play Store that hides malware capable of rooting the user’s device in order to install unwanted applications.
The app’s name is LevelDropper and after users install this app, they might notice an empty popup window appear for the LocationServices, said researchers at security provider Lookout.
If the user sees the empty popup window, that is an issue because it is a sign that an Android OS service has just crashed. These types of crashes are how exploits manifest themselves.
Behind the scenes, the malware hidden in LevelDropper’s code starts executing its malicious code and exploits the crash to escalate its access to the root user.
After analyzing the app’s entire code, Lookout researchers said the app didn’t feature any new rooting functions, but leveraged rooting exploits already available in the wild.
These exploits would normally end up detected by Google’s Bouncer, a security system used to scan apps before being added to the Play Store.
Lookout researchers said in a blog post 30 minutes after it installed LevelDropper, the app had already downloaded and installed 14 applications, all without user interaction.
Analyzing the infected phone’s filesystem, researchers failed to find the regular aftermath left behind by most rooting exploits.
Besides the privilege escalation rooting exploit, researchers said they also found two privilege escalation exploits and supporting package files such as SuperSU, busybox, and supolicy. These two additional privilege escalation exploits also had the ability to root the device.