Threat researchers at FireEye have uncovered a new variant of malicious adware spreading worldwide that can give hackers root access to Android devices.
The adware has been uncovered in 20 countries including the UK and the US, and has infected a wide range of organisations including governments and large-scale industries. It is able to disguise itself as popular Android applications.
Hackers are using the Kemoge strain by uploading malicious applications to third-party app stores and promoting the download links via websites and in-app ads, according to FireEye.
Once launched, Kemoge collects device information and uploads it to an ad server before serving invasive ads to the Android user, sending pop-ups even when the user stays on their home screen.
FireEye noted that the adware carries as many as eight exploits to root phones, and targets a wide range of Android models.
To evade detection, the adware does not constantly communicate with an ad server. Instead, it asks for commands only on the first launch or after 24 hours from its last command.
In each communication, it posts the IMEI, IMSI, storage info and installed app info to the remote server.
Simon Mullis, global technical lead at FireEye, told V3 that underneath the standard adware appearance lies a more complicated attack vector.
"The interesting thing about this one is that, although it's got the veneer of the ad revenue angle, there seems to be a more aggressive and more organised approach to try and root phones and get total control," he said.
"It's got all these root kits built in, and then it's able to await further instructions. In fact, we have got multiple levels of encryption hiding the payload."
Mullis said that the evidence points to Chinese hackers based on an analysis of Google app certificates.
"In this case all of the evidence suggests the certificates used to sign certain components were belonging to Zhang Long [a developer] who shared it with another application that was registered to Google Play," he said.
This developer, who has posted a separate app called ShareIt, which has seen between 100,000 and 500,000 downloads, used the same certificates for both applications. The type of third-party libraries used in the app code indicates China as the origin.
Google told V3 that it could offer no official comment at this time.
Yulong Zhang, a threat researcher at FireEye, has advised Android users to use only the official Google app store, never click on suspicious links and keep all devices fully updated.
"This is another malicious adware family, possibly written by Chinese developers or controlled by Chinese hackers, spreading on a global scale that represents a significant threat," he said.
The news comes after FireEye revealed a separate emerging strain of Android malware coming from a China-based mobile firm named NGE Mobi that can also allow complete control of a device.
More fingers of blame pointed at gangs linked to North Korean government
Dominance of Apple and Samsung in smartphones being chipped away by Huawei, Oppo and other cheaper rivals
OLED smartphone display can be stretched, bent, rolled and even dented - but won't break
Upgrading from a conventional hard-disk drive to an SSD? This may be just what you're looking for