Malware in the Android Market

Every day, we see more reports about malware in the Android Market. This time three developers known as MYOURNET, Kingmall2010, and we20090202, possibly the same person, were offering a number of Android apps for free download.

Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.

I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, I found it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.

So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.

This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format. We have previously talked about this here:

The Dark Side of the new Android Market

It’s also interesting to point out that, just as our researchers predicted last year, the cybercriminals have started taking advantage of jailbreaking tools as mentioned here:

The Dangers of Jailbreaking

One of the important observations here is that it is likely that these are not the only live malware in the Android Market. Kaspersky recommends that you always check all the permission requests that an application is requesting at install time. This also highlights the dangers of jailbreaking or rooting your devices. This particular root exploit has been detected by Kaspersky as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j since February 1st, so if you are a Kaspersky Mobile Security user, you are already protected.

Kaspersky will continue to examine this sample and update with any future information.

UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.

Malware in the Android Market

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox