Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Researchers believe malicious Android app written in Kotlin code may be a first

Researchers have discovered a fake mobile utility application called Swift Cleaner that they believe may be the first malicious app developed using the open-source Kotlin programming language.

Found on Google Play, the Android malware, identified as ANDROIDOS_BKOTKLIND.HRX, was disguised as a tool called Swift Cleaner that has been installed between 1,000 and 5,000 times, according to a Jan. 9 blog post from Trend Micro. The fake app purports to perform such helpful tasks as system and cache cleaning and memory optimization, but in truth it is capable of malicious remote command execution, information theft, unauthorized SMS sending and URL forwarding, and click/ad fraud. It also signs up unwitting users for premium SMS subscription services, without permission.

Lorin Wu, a mobile threats analyst with Trend Micro, reports in the blog post that Google was notified of the threat, and responded by verifying that Google Play Protect has safeguards in place to protect users from the malware family in question. The offending app was also removed, Trend Micro told SC Media.

In May 2017, Google essentially endorsed Kotlin for Android development purposes by announcing first-class support for the programming language. The official Kotlin website describes Kotlin as a statically typed programming language that is fully compatible with Java and Android and can be used to build apps for across multiple platforms. Its advantages, according to the site, include the reduction of boilerplate code, minimization of errors, interoperability across existing libraries, and its tool-friendly nature. However, Wu says it is unclear how these features might benefit a bad actor when developing new malware.

“The discovery of a first Kotlin-developed malicious app is significant in a way that Google and other publications consider it as the next big thing when it comes to programming languages,” a Trend Micro research spokesperson explained to SC Media. “The fact that a malware was developed using it shows that no programming language, whatever their features are, can be immune to cybercriminal abuse.”

When launched, the Swift Cleaner malware sends the infected device's information to a remote command-and-control server. The C&C server sends back various tasks requests, as well as a specific number to which the malware sends an unauthorized SMS message. At this point URL forwarding and click/ad fraud is enabled.

Wu continues: “In its [click/ad] fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task... After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions... This will allow the malicious actor to parse the ads' HTML code in a specific search string. Subsequently, it will silently open the device's mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.”

The blog post further reports that the malware can upload users' service provider information, login information and CAPTCHA images to the C&C server, which uses this data to create an unauthorized premium SMS service subscription.


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.