Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/7/2015
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Evil' Kemoge Serves Androids Ads And Rootkits

Malware is wrapped into a wide variety of legitimate apps on third-party stores and one on Google Play.

Kemoge, a new piece of Android malware, won't just irritate users with relentless ads, but may also root their device, according to researchers at FireEye.

Like the recently discovered Mapin, which spread by attaching itself to Candy Crush and Plants vs. Zombies, Kemoge is propagating by packaging itself into popular, legitimate Android apps -- including security ones. Kemoge was found in Easy Locker and Privacy Lock, as well as ShareIt, Calculator, and Kiss Browser. 

First, Kemoge collects device info and aggressively serves up ads, popping up ads even if the user is doing nothing but idling on the Android home screen.

However, according to the FireEye report, "Initially Kemoge is just annoying, but it soon turns evil."

Kemoge also carries root exploits -- as many as eight different exploits, crafted for compromising a variety of device models. According to the report, some of the exploits are from the commercial tool Root Dashi (also called Root Master), and others are from open-source projects. The methods include include mempodroid, motochopper, perf_swevent exploit, sock_diag exploit, and put_user exploit.

Once the device is rooted, Kemoge receives instructions from its command-and-control server to either uninstall particular apps -- including anti-virus and popular legitimate apps -- launch particular apps, or download and install apps from URLs provided by the C2 server.

The Kemoge writers uploaded their weaponized apps to third-party app stores; one altered version of ShareIt also showed up on the official Google Play store, but it only included the adware, not the root exploits and C2 functionality. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
foufou54
50%
50%
foufou54,
User Rank: Apprentice
10/8/2015 | 12:03:23 PM
Scary technology
It's scary, it's not safe with nowadays technology. There is not android, same windows phone and ios are concerned
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/12/2015 | 2:49:43 PM
Kemoge Virus
Thats a very interesting article.'Kemoge' malware seems to be pretty sophisticated malware.Two solutions to prevent it from spreading include:

1.Installing applications only from the official google app store.

2.Not clicking on suspicious links.

 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...