Google Play Hit with Rash of Auto-Rooting Malware

Researchers have identified a recent wave of malware targeting the Google Play app marketplace that entices users to download utilities and games that when installed surreptitiously root devices.

The exploit, which mobile security firm Lookout calls autorooting malware, gives attackers complete control of the infected device. It was discovered by researchers in an app called LevelDropper.

“LevelDropper, an app in the Google Play Store that we determined to be malicious, is the latest example of a new and persisting trend in mobile threats: autorooting malware,” wrote Colin Streicher, with Lookout’s research and response team in a blog posted Monday.

Lookout did not indicate what versions of the Android OS is vulnerable to LevelDropper.

Streicher said once installed, LevelDropper, an app that gauged a horizontal plane with a simulated air bubble, quietly jailbreaks or roots the targeted Android phone or tablet. Next, with escalated privileges, attackers can remotely install additional applications without the target’s knowledge.

“Immediately after running LevelDropper, we noticed that the Location Services window popped up blank. This is a significant red flag,” Streicher wrote. Worse, after just 30 minutes being attacked, the attacker had silently installed 14 applications with no user interaction.

Credit: Lookout

Credit: Lookout

Upon closer examination of the device’s System Directory, researchers said, there were no overt signs that the Android device had been rooted. “Usually we would see a superuser binary and often a rewritten “install-system-recovery” script, which is used to ensure that root access survives upgrades.”

LevelDropper is just the latest in a wave of similar type autorooting malware to hit the Google Play store. Lookout said Google has recently given the boot to Brain Test, ShiftyBug, Shuanet, and Shedun that each bundled the autoroot exploit. As with these others, LevelDropper was also pulled from the Google Play marketplace.

With LevelDropper, the attacker’s intent appears to be to drive ad revenues.

“In cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue,” Streicher explains. In the case of the autorooting malware sample called Brain Test the attackers went so far as to hijacks the victim’s  phone in order to post positive reviews of similar autorooting malware-laced games, he wrote.

Root exploits are not new and trace back to 2011 with the reported GingerMaster exploit that targeted Android 2.3 and gave attackers complete control over infected devices. That malware, also packaged in infected apps, collected data on the user and downloaded and installed apps on its own, without the user’s permission. More recently, in April, Blue Coat security researchers observed a weaponized version of the Towelroot jailbreaking utility used in tandem with ransomware attacks against Android device users.

According to a 2014 report by Lacoon Mobile Security, Android root access vulnerabilities affect most devices. The exploit is tied to a vulnerability in version 3.14.5 of the Linux kernel. The firm called the bug “Towelroot,” because it is the same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by the hacker George Hotz.