A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play.
Researchers at Zscaler reported the app, which had a package name of com.polaris.BatteryIndicatorPro. The app requested excessive permissions from the user in an attempt to get full control of an Android device.
The criminals behind this scam were ultimately trying to harvest enough devices to profit from click fraud, ad fraud and premium SMS fraud, as well as download and install other malicious Android packages, called APKs.
“A few traces of command execution were also seen in the app but were not fully implemented,” wrote Zscaler researcher Shivang Desai. “Perhaps the developer is working on an upgraded version of the malware with proper ‘command-execution’ functionality.”
The app mimicked BatteryBot Pro, which is a popular battery indicator app for Android devices; it comes in a free and Pro version. According to statistics on Google Play, the legitimate app has been downloaded as many as 500,000 times. The legit app also requested minimal permission on the device, limited to reading and modifying the contents of a USB storage device, the ability to run at startup, disable the lock screen, prevent the device from sleeping, and the ability to control vibration.
The malicious app, Zscaler’s Desai said, requests dozens more permissions, many of them benign. Others that were more worrisome included permission to access the Internet, send SMS messages, mount and unmount file systems, get accounts, process outgoing calls, and download without notification.
“Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim’s device,” Desai wrote. “Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.”
Zscaler said the app tries, for example, to load various ad libraries in order to conduct click fraud. It also collects specific data from a device, including available memory, the IMEI number, location, model, language and SIM card availability.
“On the basis of various parameters and conditions in the server request, the malware starts receiving a list of ads to be displayed, along with the URLs for where to fetch the ads,” Desai wrote.
Soon, the device begins downloaded more APKs and presenting the user with pop-up ads. Worse, when a user clicks on the View Battery Use feature in the app, the malware requests short codes from the attacker’s server which turn out to be premium rate SMS numbers that are messaged.
Zscaler warns that since the app ultimately gains admin privileges, it cannot be deleted by the user.
“While in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence,” Desai wrote. “The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted. This acts as a service and sends requests to hard-coded URLs found in the app.”
This opens a channel between the device and the attacker where new requests can be made, including for additional APKs.