The Kemoge adware family, as FireEye calls it, is thought to originate in China. Its infections already span more than 20 countries, including the U.S. and Russia. The adware disguises itself as repackaged popular apps, including “Calculator,” “Talking Tom 3,” and “Smart Touch.” These apps are put on third-party app stores.
Although the infection is relatively typical, with the downloaded app first serving up annoying ads and then trying to gain root access, it does come with one especially new feature. After having gained root, the malware searches for antivirus (AV) software and purposefully seeks to uninstall or disable it.
Yulong Zhang, a FireEye research scientist, said in an interview with SCMagazine.com that this was the first time an adware group's been documented going directly for AV vendors in order to remain on a device.
Going back to the adware's technique for gaining root, once a user downloads a malicious app, the malware unpacks its disguised .zip file, which is protected by at least three layers of encryption. The perpetrators go to great lengths to keep their ultimate payload hidden.
The payload contains exploits for multiple Android devices, including Motorola and Samsung, Zhang said. The apps also don't ask for administrator privileges, although Zhang said users typically breeze through the permissions page anyway. Instead, it requests access to portions of the phone where it might be able to run a root exploit. The camera is one example, he said.
“There's no direct relationship between the description of a permission and its root exploit,” he explained. “It might access the camera, but there may be some vulnerability in the camera's library, and the app can obtain root by exploiting it.”
While these apps are all located on a third-party store, Zhang did point out that one of the malicious apps was designed by a developer whose products appear in the legitimate Google Play store. It doesn't necessarily mean any apps made it through to the real Android marketplace, but Zhang did caution that it's a possibility.
Although a malicious app might not be live now, it could have been in the past and then upgraded to a benign state.