Viking Horde Malware Co-Ops Android Devices for Ad Fraud

The Viking Horde Android malware campaign can leverage victims’ phones for ad fraud, carry out DDoS attacks, send spam, and more, researchers warn.

The latest Android malware campaign to wend its way through Google’s Play marketplace can leverage victims’ phones for ad fraud, carry out DDoS attacks, send spam, and more, researchers warn.

Dubbed Viking Horde, the campaign ropes Android devices into a botnet without their owners being any the wiser. A handful of apps that spread the malware family have managed to sneak into Play under Google’s watch – the most popular being a game named Viking Jump, according to researchers at Check Point, who discovered the family of malware and described it in detail earlier this week.

The malware has also reportedly spread through apps named Memory Booster, Parrot Copter, Simple 2048, and WiFi Plus. Before it was removed, Viking Jump was the most popular of the apps, garnering 50,000 to 100,000 downloads. The app even became a “top free app” in some markets.

Check Point claims it notified Google of the malicious apps last Thursday, May 5. A cursory search on Google Play failed to yield any results for them, suggesting the company was able to purge the apps from its marketplace.

According to Andrey Polkovnichenko and Oren Koriat, members of the company’s research team, Viking Horde doesn’t care whether devices are rooted or not – it compromises both to disguise ad clicks via proxied IP addresses.

“The malware’s primary objective is to hijack a device and then use it to simulate clicks on advertisements in websites to accumulate profit,”the two wrote of the malware on Monday, “The malware needs this proxy to bypass ad-nets’ anti-fraud mechanisms by using distributed IPs.”

When users installed the apps, several components were installed outside of the application’s directory, something that made it persist on devices. The threat can be even more troublesome on rooted devices and grant attackers the ability to carry out remote code execution.

If rooted, because of the way the update mechanism is configured, the app can download new binary from an attack server. It can then be triggered to allow downloading and execution of remote code.

If a user attempts to uninstall the app, and the device is rooted, those components installed outside the app’s directory hang around. One of them, app_exec, decrypts another component,, which is installed silently and runs after boot, ensuring the malware sticks around on the device for the long haul.

If the device isn’t rooted, the malware can still send and receive information without the user’s authorization. Researchers observed one instance where a device’s OS version, battery status, and GPS coordinates were sent to an attacker’s command and control server.

The malware mostly affected Russian users, but also plagued users in the U.S., Spain, Lebanon, and Saudi Arabia, and to a lesser extent the Dominican Republic, Brazil, and Colombia, according to researchers, who analyzed a command and control server to glean data on the distribution of victims.

Malicious Android apps that dupe users into surrendering their admin rights continue to evade Google’s detection and make their way into Play. Earlier this year a baker’s dozen of apps were removed from the marketplace after they were spotted spreading the Brain Test family of malware. Once installed the apps communicated with C+C servers, downloaded addition APKs, and rooted some devices.

Suggested articles