The sheer volume of malware found on various Android app stores from around the world – including some found in Google's Play Store – has been a huge cause for concern over the years. The latest such malicious software to join the list is ‘Godless’, which apparently “has a set of rooting exploits in its pockets”. That's according to an announcement by security firm Trend Micro, whose researchers discovered the malware recently. The offending piece of software is detected as ANDROIDOS_GODLESS.HRX, and any device running pre-Marshmallow versions of Android are, in theory, vulnerable to the malware. Disconcertingly, almost 90% of all Android devices in circulation today run Android 5.1 Lollipop or earlier versions of the OS, and according to the Trend Micro’s estimates, as many as 850,000 devices around the world have already been affected, with India accounting for almost half of all such cases.
While Trend Micro researchers have gone into great technical details about the ins and outs of the Godless malware, what they’ve said in essence is that the newly-discovered malware is not unlike an exploit kit, because “it uses an open-source rooting framework called android-rooting-tools”, which has a number of different exploits that can be used to root Android devices. According to the researchers, two of the most well-known vulnerabilities that are targeted by this kit are CVE-2015-3636 and CVE-2014-3153. While the second one is used by TowelRoot, the first one is used by the ever-popular PingPongRoot for rooting Android devices.
Once installed, the malware apparently waits for the screen to be turned off before automatically starting the process of rooting the device. Once that’s done, the malware can then be remotely instructed to download and install unwanted apps on compromised systems. While most of these malicious apps just inundate users with ads, some of the downloaded software can actually do something much more malicious. According to the post by Trend Micro, “these threats can also be used to install backdoors and spy on users”. The malware apparently has evolved over time, and more recent Godless versions are apparently also capable of bypassing security checks done by app stores.
The researchers who discovered this vulnerability claim to have come across a number of apps on Google Play that contain the malicious code. That list includes at least one flashlight app called Summer Flashlight that has now apparently been removed from the Play Store. Others on the list include Wi-Fi apps and some copies of popular games. What’s also worrying is that some of the clean apps on Google Play also have malicious versions that come with the same developer certificate. So updating those apps from other sources could also potentially leave devices vulnerable. Trend Micro has described the new-found malware in great technical detail on its blog, so anyone interested should click through the source link below to know more on the subject.