Pop-up Android adware uses social engineering to resist deletion

[Batu69]

Ks Clean: Run and install: OK, OK or, er, OK?

A malicious Android app that downloads itself from advertisements posted on forums strongly resists removal, security firm Zscaler warns.

The dodgy Android utility poses as "Ks Clean", an Android cleaner app. Once installed, the app displays a fake system update message in which the only option presented to the user is to select the "OK" button, giving victims little immediate option other than to accept a supposed security update.

 

As soon as the user presses "OK", the malware prompts the installation of another APK named "Update". The Update app asks for administrator privileges which, if granted, can't be revoked.

 

The app uses the insidious mask of a "security update" to get a user to complete the installation.

After that, there is nothing to stop malware from slinging pop-up ads at victims even when the user is using other apps. Users would be unable to easily uninstall the app using the traditional "Uninstall" option because it has admin rights.

 

This is a "security update". It's for your own good
and you must comply.

 

Zscaler has identified over 300 instances of malicious APKs from this campaign affecting users in US and UK over the last two weeks, including an attack on a conspiracy forum called "GodLikeProductions".

 

"On one such forum we found entitled 'GodLikeProductions', visitors complained about the automatically downloading app, but those messages were either removed or ignored by the forum's hosts, allowing the problem to perpetuate," Zcaler reports.

 

Article source

 

Other source: Self-Downloading Android Malware Target Users in the US, UK, and France

[Karlston]

The dodgy English should be like a giant neon sign flashing "THIS IS MALWARE" to users.

[CrAKeN]

A malvertising campaign detected on a popular forum is forcibly downloading an Android app on users' devices, which later installs a second app with more intrusive features and which is almost impossible to remove without flashing the user's phone.

 

Detected by security researchers from Zscaler, this malvertising campaign was currently only spotted via malicious ads delivered on the GodLike Productions forum, a site that ranks in Alexa's Top 11K most popular websites on the Internet.

 

Malvertising forcibly downloads app on users' phones

According to researchers, malicious ads displayed on this forum would auto-download an Android APK to users' devices accessing the site from their Android smartphones.

 

Under normal circumstances, this wouldn't be a problem as users need to manually launch the app to be installed. Unfortunately, not all users know this, and there are plenty of users who wanted to check out what this new app was and installed it.

 

This app's name is Ks Clean (kskas.apk), and it tries to pass as an Android cleaner app. Installing this app triggers an immediate popup that mimics a security update. Because there's no "cancel" or "close" button, users have no choice but to click "Ok" to dismiss the message.

 

 

This immediately downloads and installs a second app that is named only "update." This app asks for admin rights during its installation process.

 

Experts say that once the app gains admin rights, it will use them to show ads on the user's screen.

 

If users track down the source of these ads to the "update" app, they won't be able to uninstall it. Uninstalling the app requires first that the user revokes its admin rights. This isn't possible because by using a clever programming trick, the app will freeze the user's device for a few seconds every time attempts to remove its user from the admin group. A video of this "device freezing" trick is here. Enable closed captions (subtitles) for a walkthrough.

 

Forum admins have deleted topics about the malicious app

Researchers say they've tracked over 300 downloads of the first-stage app in the past two weeks. The most affected countries were the US, the UK, and France.

 

Even worse, it appears that the administrators of the forum where researchers spotted this campaign had ignored and even deleted topics where users complained about the site forcibly downloading apps on their devices.

 

Screenshots of deleted topics

 

 

 

To prevent being affected by this campaign, Zscaler researchers say users should disable auto-download in all their mobile browsers and turn off the "Unknown Sources" option in the Android Security settings section. This latter option is off by default, but some users and OEMs enable the feature for various reasons. When turned on, this feature allows users to install apps from outside the official Play Store, which is the only way the two apps above can be installed.

 

Source