A new malicious Android app has infected at least 60,000 devices gaining the ability to extract some important information from each device along with installing some ad click malware.
The scam's, which was uncovered by RiskIQ, initial introduction to a device starts with a pop-up ad telling the device owner that the battery may be having issues and running down too quickly. The malware is able to determine the brand and model of the device by parsing the user-agent server-side and embedding the processed brand and model information in the script that renders the pop-up.
The ad offers to solve this problem by connecting the user with a power saver app.
The pop up offers the target the chance to either download the power saver or cancel out of the deal. However, the malware does not care which choice is made and transports the user to a power saver app located in the legitimate Google Play store. This fact made the RiskIQ researchers believe the group behind this scam is relatively unsophisticated. The most effective way to get rid of such a pop up is to restart the device.
If the victim decides to install the power saver app he or she must give the app some very important permissions.
- Read sensitive log data
- Receive text messages (SMS)
- Receive data from Internet
- Pair with Bluetooth devices
- Full network access
- Modify system settings
On the bright side, the power saving app actually works by stopping processes that use too much power during a low battery state and it monitors the battery's status.
But that is the only bonus. In addition to giving the malware the ability to control their phone, the user also has a small ad-clicking backdoor installed.
“While it may seem benign, the ad-clicker also steals information from the phone, including IMEI, phone numbers, phone type/brand/model, location, and more,” RiskIQ said.
The device then is registered with a command and control server and starts to look for ad-clicking assignments which will generate income for the malware's creators. The ad-clicking bot runs in the background and does not use much power.