News  Android
Godless Android

Hits Lollipop or earlier

Android users are on alert for a dangerous new family of malware which has been given the name "Godless", after being detected as ANDROIDOS_GODLESS.HRX.

Experts warn this is particularly worrying since it has the ability to root, and therefore gain complete control, over affected devices. Godless doesn't even use a single attack vector, instead making use of multiple explots and aiming at Lollipop or older - that equates to 90% of todays Android handsets.

Infected devices are turned into slave bots awaiting instructions from the attackers command-and-control system. Since these devices could be rooted, this means backdoors, keyloggers and any number of unwanted apps can be remotely installed.

850,000 devices already infected

Knowing the Godless malware can root a device means disinfection is particularly difficult. Rooting in itself isn't a problem - developers do it all the time, and the modding scene relies on it for their custom Android spins - but the fear is that more than one payload could have been installed, and so the user is not certain all of them have been removed. There is an open source framework known as android-rooting-tools which has similarities to Godless - the two closest vulnerabilities targeted are CVE-2015-3636 and CVE-2014-3153.

Trend Micro have been gathering data from their Trend Micro Mobile App Reputation Service and found Godless to be present in many top-tier app stores, such as Google Play and Amazon.

derelict factory 700x250

Silent rooting

Godless is pretty sneaky when it root a users device. Normally, although this is a straighforward operation, the user wants to see what is happening at all stages. Not so with this one though - it waits until the screen is turned off before getting on with it, so even clued up users are none the wiser.

The Godless malware is termed a "family" because there isn't just one single instance - there are different types. One is a slimmed down version which exists only to facilitate the downloading of other apps from the bad guys servers.

Prevention really is better than cure

Users are normally advised to check the credentials of the developer of any app they install carefully - this is doubly important with Godless. A developer with little history or background information might, but not necessarily, be a clue there is something amiss. Apps such as innocent-sounding flashlight utilities have been found to be infected.

Godless hit India first, then moved onto other South East Asian countries. At the time of writing, only 2% of affected users are in the USA.

An extra sneaky trick was uncovered when it was found that the same developer certificate was used to upload totally clean apps to various app stores as was used for subsequent infected versions. This meant users could install legitimate apps which actually did what they claimed to - such as the flashlight example - but a later update then carried the malware payload in, and the user woud be unaware they had been infected since the developer certificate being the same wouldn't arouse suspicion.

More at Trend Micro.