Kemoge, a new piece of Android malware, won't just irritate users with relentless ads, but may also root their device, according to researchers at FireEye.
Like the recently discovered Mapin, which spread by attaching itself to Candy Crush and Plants vs. Zombies, Kemoge is propagating by packaging itself into popular, legitimate Android apps -- including security ones. Kemoge was found in Easy Locker and Privacy Lock, as well as ShareIt, Calculator, and Kiss Browser.
First, Kemoge collects device info and aggressively serves up ads, popping up ads even if the user is doing nothing but idling on the Android home screen.
However, according to the FireEye report, "Initially Kemoge is just annoying, but it soon turns evil."
Kemoge also carries root exploits -- as many as eight different exploits, crafted for compromising a variety of device models. According to the report, some of the exploits are from the commercial tool Root Dashi (also called Root Master), and others are from open-source projects. The methods include include mempodroid, motochopper, perf_swevent exploit, sock_diag exploit, and put_user exploit.
Once the device is rooted, Kemoge receives instructions from its command-and-control server to either uninstall particular apps -- including anti-virus and popular legitimate apps -- launch particular apps, or download and install apps from URLs provided by the C2 server.
The Kemoge writers uploaded their weaponized apps to third-party app stores; one altered version of ShareIt also showed up on the official Google Play store, but it only included the adware, not the root exploits and C2 functionality.