Android-rooting malware lurking on Google Play

For a while now Android-rooting malware has been creeping in Google’s Play store.

The latest instance, discovered by Lookout researchers, masquerades as LevelDropper, an app that simulates the level tool used in construction.

Android-rooting malware lurking on Google Play

When an unsuspecting user installs it, the app silently roots the device and stealthily installs many more apps on it.

An indication that the LevelDropper might be malicious comes in the form of a blank LocationServices window that pops up after the user runs the app.

“This is a significant red flag. It often indicates a potential crash that can be taken advantage of to gain an escalation in privilege,” the researchers note.

And in this case, the app gained root privileges, which allowed it to download more apps – 14 in just 30 minutes! – without the victim having to approve their download or their installation.

What’s interesting about this latest Android-rooting malware is that its creators have tried to make it less obvious that the device is rooted. There was no superuser binary or a rewritten “install-system-recovery” script to assure the persistence of root access.

“The only evidence we could uncover was the fact that the system partition was writable (usually it is mounted in read-only mode to prevent modifications); all other evidence appears to have been removed,” the researchers say.

The malware carries and is capable of using two privilege escalation exploits, PoC code for which is publicly available online.

Google has been notified of the problem, and has already removed the offending app from Google Play.

Users that have installed it are advised to perform a factory reset on the device to get rid of the malware, and to be more careful about what they download in the future. As we’ve witnessed repeatedly, even downloading apps from official app stores is not completely without risk.




Share this