Kemoge malware: Beware of unofficial Android app installs

Android malware is on the rise and this week security researchers from FireEye uncovered another malicious player. FireEye has called it ‘Kemoge’.

Kemoge is an adware that morphs itself as popular apps. It takes the name of these popular apps, repackages them with a little bit of malicious code and then makes them available for the users. Users who install such infected unofficial Android apps are targeted. Once the app is installed, the adware then gains root access and gathers phone data before sending off to a remote server.

WiFi Enhancer, Calculator and Talking Tom 3, are a few of the infected titles, which are from outside the Google Play Store. But for those who have installed or are familiar with these titles through Google’s official app store, installing them may happen without a second thought.

According to FireEye, the adware can take over an entire device, throwing it up to whatever bad outfit – the talk is that the attack comes from China (simplified Chinese characters were found in all of the apps) – is behind it. About 20 countries have been reported to be hit by this malware.

Figure 1. Countries infected

How does Kemoge work?

  1. Cyber attacker submits the app to any third-party app store and advertises the download links using popular blogs and ads. Some ad networks are able to directly install Kemoge on a device.
  2. After the first launch, Android malware does reconnaissance(gathers information from the device) and uploads device information to malicious servers, allowing it to serve ads in the background.
  3. When infection is complete, ads are displayed to users periodically no matter what activity they do.

Well, this is not just an annoying adware. Soon after starting serving ads to users Kemoge imports 8 different types of malware that roots devices without user’s knowledge and grants Android malware root (administrator) rights. Kemoge is dangerous as it can uninstall antivirus, android protection and other popular apps in order to prepare other attacks.

Figure 2. Kemoge’s Lifecycle

FireEye researchers conducted their research on Nexus 7 running Android 4.3 (JellyBean). While experimenting, the server commanded the device, such that it uninstalled the legitimate apps and made the device filled with malicious codes. The name ‘Kemoge’ is derived from its command and control (C2) domain aps.kemoge.net.

How to protect yourself from Kemoge?

  1. Never click on suspicious links from emails/SMS/websites/advertisements.
  2. Don’t install apps outside the official app store.
  3. Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.)

To keep it simple: “Android users shouldn’t install apps from ads or other sources but instead directly from Google.”

To know more about Kemoge, follow FireEye’s official blog.

Courtesy: FireEye

Ravikiran Kunder

Infosec trainer by passion and Infosec consultant by profession.

You may also like...

2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *