Cybersecurity researchers have discovered a new malicious Android app that has infected at least 60,000 devices, gaining the means to extract critical information from phones in addition to installing an ad click malware.
Discovered by researchers at RiskIQ, the malware initially shows a pop-up add warning the device owner of battery issues. Pointedly, the malware is able to also display the brand and model of the infected device by parsing the user agent server-side before embedding the processed brand and model information in the script rendering the pop-up.
At this point, the pop-up offers the targeted victim the choice to either download the power saver tool or opt against it. Regardless of the choice, the malware then directs the user to a power saver app located in Google’s official Play Store.
“We are taken to the Google Play page regardless of whether the code identifies us as a mobile or desktop user-agent, a catch-all approach which could suggest that a relatively unsophisticated group is behind the scam page.”
The more alarming aspect is the list of permissions sought by the mobile app, with a few choice requirements including:
- Read sensitive log data
- Receive text messages (SMS)
- Receive data from Internet
- Pair with Bluetooth devices
- Full network access
- Modify system settings
Curiously, the app does reduce battery strain, kill processes consuming heavy battery resources during a low power state and monitor battery status overall – all functions promised by the application.
However, the app also installs a small ad-clicking backdoor that is tucked away within the battery saver code.
“While it may seem benign, the ad-clicker also steals information from the phone, including IMEI, phone numbers, phone type/brand/model, location, and more,” researchers added.
The malware then registers the device with a command and control server before fishing for ad-clicking assignments to create illicit revenue for the malware’s creators.
Image credit: Pexels.