Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/7/2015
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Evil' Kemoge Serves Androids Ads And Rootkits

Malware is wrapped into a wide variety of legitimate apps on third-party stores and one on Google Play.

Kemoge, a new piece of Android malware, won't just irritate users with relentless ads, but may also root their device, according to researchers at FireEye.

Like the recently discovered Mapin, which spread by attaching itself to Candy Crush and Plants vs. Zombies, Kemoge is propagating by packaging itself into popular, legitimate Android apps -- including security ones. Kemoge was found in Easy Locker and Privacy Lock, as well as ShareIt, Calculator, and Kiss Browser. 

First, Kemoge collects device info and aggressively serves up ads, popping up ads even if the user is doing nothing but idling on the Android home screen.

However, according to the FireEye report, "Initially Kemoge is just annoying, but it soon turns evil."

Kemoge also carries root exploits -- as many as eight different exploits, crafted for compromising a variety of device models. According to the report, some of the exploits are from the commercial tool Root Dashi (also called Root Master), and others are from open-source projects. The methods include include mempodroid, motochopper, perf_swevent exploit, sock_diag exploit, and put_user exploit.

Once the device is rooted, Kemoge receives instructions from its command-and-control server to either uninstall particular apps -- including anti-virus and popular legitimate apps -- launch particular apps, or download and install apps from URLs provided by the C2 server.

The Kemoge writers uploaded their weaponized apps to third-party app stores; one altered version of ShareIt also showed up on the official Google Play store, but it only included the adware, not the root exploits and C2 functionality. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/12/2015 | 2:49:43 PM
Kemoge Virus
Thats a very interesting article.'Kemoge' malware seems to be pretty sophisticated malware.Two solutions to prevent it from spreading include:

1.Installing applications only from the official google app store.

2.Not clicking on suspicious links.

 
foufou54
50%
50%
foufou54,
User Rank: Apprentice
10/8/2015 | 12:03:23 PM
Scary technology
It's scary, it's not safe with nowadays technology. There is not android, same windows phone and ios are concerned
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9008
PUBLISHED: 2020-02-25
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
CVE-2020-9018
PUBLISHED: 2020-02-25
LiteCart through 2.2.1 allows admin/?app=users&doc=edit_user CSRF to add a user.
CVE-2020-9019
PUBLISHED: 2020-02-25
The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description.
CVE-2020-9391
PUBLISHED: 2020-02-25
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been ...
CVE-2020-8793
PUBLISHED: 2020-02-25
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.