Android Users Hit with ‘Undeletable’ Adware

Researchers say that 14.8 percent of Android users who were targeted with mobile malware or adware last year were left with undeletable files.

UPDATE

A healthy percentage of Android users targeted by mobile malware or mobile adware last year suffered a system partition infection, making the malicious files virtually undeletable.

That’s according to research from Kaspersky, which found that 14.8 percent of its users who suffered such attacks were left with undeletable files. These range from trojans that can install and run apps without the user’s knowledge, to less threatening, but nevertheless intrusive, advertising apps.

“A system partition infection entails a high level of risk for the users of infected devices, as a security solution cannot access the system directories, meaning it cannot remove the malicious files,” the firm explained, in a posting on Monday.

Moreover, research found that most devices harbor pre-installed default applications that are also undeletable – the number of those affected varies from 1 to 5 percent of users with low-cost devices, and reaches 27 percent in extreme cases.

“Infection can happen via two paths: The threat gains root access on a device and installs adware in the system partition, or the code for displaying ads gets into the firmware of the device before it even ends up in the hands of the consumer,” according to the firm.

In the latter scenario, this could lead to potentially undesired and unplanned consequences. For instance, many smartphones have functions providing remote access to the device. If abused, such a feature could lead to a data compromise of a user’s device.

Unwanted and Malicious Apps

Among the most common types of malware that Kaspersky has found installed in the system partition of Android smartphones are two older threats: The Lezok and Triada trojans.

“The latter is notable for its ad code embedded not just anywhere, but directly in libandroid_runtime — a key library used by almost all apps on the device,” according to the analysis.

However, examining victims’ system apps revealed a wide range of threats.

The Agent trojan for instance is an obfuscated malware that usually hides in the app that handles the graphical interface of the system, or in the Settings utility, without which the smartphone cannot function properly. The malware delivers its payload, which in turn can download and run arbitrary files on the device.

Then there’s the Sivu trojan, which is a dropper masquerading as an HTMLViewer app.

“The malware consists of two modules and can use root permissions on the device,” according to Kaspersky. “The first module displays ads on top of other windows, and in notifications. The second module is a backdoor allowing remote control of the smartphone. Its capabilities include installing, uninstalling and running apps, which can be used to covertly install both legitimate and malicious apps, depending on the intruder’s goals.”

The Plague adware app is another common threat that Kaspersky found installed in the system partition. It pretends to be a legitimate system service, calling itself Android Services – but in reality, it can download and install apps behind the user’s back, as well as display ads in notifications.

“What’s more, Plague.f can display ads in SYSTEM_ALERT_WINDOW — a pop-up window that sits on top of all apps,” explained the researchers.

The Necro.d trojan is unusual, because it’s a native library located in the system directory. Its launch mechanism is built into another system library, libandroid_servers.so, which handles the operation of Android services.

“At the command of the command-and-control (C2), Necro.d can download, install, uninstall and run apps,” explained the researchers. “In addition, the developers decided to leave themselves a backdoor for executing arbitrary shell commands. On top of that, Necro.d can download Kingroot superuser rights utility — seemingly so that the OS security system does not interfere with delivering ‘very important’ content for the user.”

Penguin, Facmod, Guerrilla, Virtualinst and Secretad are also often found on mobile device system partitions.

As for pre-installed adware, some devices ship with an application called “AppStore,” which Kaspersky researchers said appears to be hidden adware able to load under the radar and display itself in invisible windows. This eats up data and battery power, the researchers pointed out – but the app also can download and execute third-party JavaScript code.

“Our analysis demonstrates that mobile users are not only regularly attacked by adware and other threats, but their device may also be at risk even before they purchased it,” said Igor Golovin, security researcher at Kaspersky, in a media statement. “Customers don’t even suspect that they are spending their cash on a pocket-sized billboard. Some mobile device suppliers are focusing on maximizing profits through in-device advertising tools, even if those tools cause inconvenience to the device owners.”

In the case of phones with pre-installed adware (Kaspersky said that Meizu devices are among the offenders), users are likely out of luck.

“Unfortunately, if a user purchases a device with such pre-installed advertising, it is often impossible to remove it without risking damage to the system,” Kaspersky researcher Igor Golovin told Threatpost. “In this case, all hopes rest on enthusiasts who are busy creating alternative firmware for devices. But it’s important to understand that reflashing can void the warranty and even damage the device.”

He added, “I advise users to look carefully into the model of smartphone they are looking to buy and take these risks into account. At the end of the day, it is often a choice between a cheaper device or a more user-friendly one.”

This article was updated at 12:15 ET on July 8 to include more information on pre-installed adware.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles

Discussion

  • Larry Martin on

    Has Google been made aware of all of this? If so, what was their response?
  • Huzaifah on

    useful info
  • Anonymous on

    Is there anything I can use instead of Google Android
  • Joe Soap on

    Out the handset providers doing this and the market will punish...consumers shouldn't be exposed to handsets infected by malware intentionally.
  • Anonymous on

    Windows phones were best.
  • Dэаdsիօ+ on

    At this point, you need a better choice in phones, Android phones aren't known for their security. Try apple brand, they encrypt their phones much better.
  • Shawna on

    How do I get rid of these programs?
  • Hamuel on

    Tl;dr
  • Toad on

    “Customers don’t even suspect that they are spending their cash on a pocket-sized billboard. Some mobile device suppliers are focusing on maximizing profits through in-device advertising tools, even if those tools cause inconvenience to the device owners.” You you don't reveal the names of the mobile device suppliers, then all you have done is raise fear. Identifying such SCUM is the first step in stopping such practices.
  • Darlene on

    Great article on smart phone threats...but NO explanation how to get rid of them..!!! How about giving us the tool o clean our phones of the invasive Trojans....
  • DAVID SAIN on

    Simply install a good AV product.
  • David W. on

    Right now I have the free version of bit defender installed, and I perform scans manually in addition to the app performing auto scans on it's own. Up until now I thought that bit defender was good enough.
  • Israel Queiroz on

    isso não é coisa de hoje um dos pequenos problemas dos usuários é que eles realmente não segue recomendação de segurançanão clicar em link desconhecido não abrir e-mail desconhecido isso é segurança mais importante para um celular Android computadore se ver um e-mail desconhecido essas coisas assim que não conhece bloqueia manda para o spam coloquei para não receber mais mensagem e assim o celular vai ficar seguro você precisa testar antivírus não conhece também do WhatsApp tá mandando o link bloqueia e denuncia para o WhatsApp

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.