Researchers have discovered a fake mobile utility application called Swift Cleaner that they believe may be the first malicious app developed using the open-source Kotlin programming language.
Found on Google Play, the Android malware, identified as ANDROIDOS_BKOTKLIND.HRX, was disguised as a tool called Swift Cleaner that has been installed between 1,000 and 5,000 times, according to a Jan. 9 blog post from Trend Micro. The fake app purports to perform such helpful tasks as system and cache cleaning and memory optimization, but in truth it is capable of malicious remote command execution, information theft, unauthorized SMS sending and URL forwarding, and click/ad fraud. It also signs up unwitting users for premium SMS subscription services, without permission.
Lorin Wu, a mobile threats analyst with Trend Micro, reports in the blog post that Google was notified of the threat, and responded by verifying that Google Play Protect has safeguards in place to protect users from the malware family in question. The offending app was also removed, Trend Micro told SC Media.
In May 2017, Google essentially endorsed Kotlin for Android development purposes by announcing first-class support for the programming language. The official Kotlin website describes Kotlin as a statically typed programming language that is fully compatible with Java and Android and can be used to build apps for across multiple platforms. Its advantages, according to the site, include the reduction of boilerplate code, minimization of errors, interoperability across existing libraries, and its tool-friendly nature. However, Wu says it is unclear how these features might benefit a bad actor when developing new malware.
“The discovery of a first Kotlin-developed malicious app is significant in a way that Google and other publications consider it as the next big thing when it comes to programming languages,” a Trend Micro research spokesperson explained to SC Media. “The fact that a malware was developed using it shows that no programming language, whatever their features are, can be immune to cybercriminal abuse.”
When launched, the Swift Cleaner malware sends the infected device's information to a remote command-and-control server. The C&C server sends back various tasks requests, as well as a specific number to which the malware sends an unauthorized SMS message. At this point URL forwarding and click/ad fraud is enabled.
Wu continues: “In its [click/ad] fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task... After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions... This will allow the malicious actor to parse the ads' HTML code in a specific search string. Subsequently, it will silently open the device's mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.”
The blog post further reports that the malware can upload users' service provider information, login information and CAPTCHA images to the C&C server, which uses this data to create an unauthorized premium SMS service subscription.
