Kemoge malware: Yet another reason not to use unofficial Android app installs

Unofficial Android apps are finding their way to devices through ads in more than 20 countries, including the U.S. They gain root access and gather phone data before sending off to a remote server.
Written by Kevin Tofel, Contributor

Another week, another attack on Android through adware apps it seems.

Security and cyber-attack firm FireEye announced on Wednesday that it tracked a new mobile malware threat in more than 20 countries worldwide, including the U.S.

Dubbed Kemoge, the threat poses as standard, readily available Android apps but trick users into installing them via ads. On the surface, the apps are duplicates of software that can be found on the Google Play Store; the key difference is that they attack the user's device after installation.

"The attacker uploads the apps to third-party app stores and promotes the download links via websites and in-app ads. Some aggressive ad networks gaining root privilege can also automatically install the samples. On the initial launch, Kemoge collects device information and uploads it to the ad server, then it pervasively serves ads from the background. Victims see ad banners periodically regardless of the current activity (ads even pop up when the user stays on the Android home screen)."

On its blog, FireEye says the insecure apps try to evade detection by running malicious code briefly at startup or 24 hours after installation.

Data such as the phone's IMEI, IMSI, and storage information are then remotely sent to a third-party server.

ArsTechnica, which also reported the development, notes that log files from infected devices show the apps also gain root access to Android.

What's particularly sneaky about these apps, which FireEye says may original from China (simplified Chinese characters were found in all of the apps ) is that they're repackaged under the same name and icon as currently available and safe Android apps.

WiFi Enhancer, Calculator and Talking Tom 3, are a few of the infected titles -- again, only from outside the Google Play Store. But for those who have installed or are familiar with these titles through Google's official app store, installing them may happen without a second thought.


One infected app even uses the same same developer certificate as the original title found in the Google Play Store, which is especially concerning. Ars says Google has since removed that app from the Play Store.

Long story short: Android users shouldn't install apps from ads or other sources but instead directly from Google.

Editorial standards