Malicious ads trigger drive-by download of persistent Android adware

UK and US Android users have been saddled with unwanted apps via malicious ads that executed a drive-by download attack.

According to Zscaler researchers, the malicious ads were posted on forums, including one named GodLikeProductions, a relatively popular site that serves a community of conspiracy theorists.

If loaded by Android users, the ads would trigger the automatic download of an app named Ks Clean (kskas.apk), which poses as a cleaner app.

Victims still had to run the app and give it the permissions it asked (among them, to draw over other apps), but once they did that, they were shown a fake security update notification that offers no other option than to proceed with it:

Android malvertising

Clicking on the OK button triggers the download of another app (“update”), and the request to give this app admin rights to the device.

The permissions the app asks also allow it to download files without notifications, draw over other applications, access a variety of information about the device, browser history, and so on.

“Once the app gains admin rights, it becomes impossible to remove it from the device. The traditional ‘Uninstall’ option, by default, becomes disabled, because a user cannot remove apps with admin rights. Usually, one can uninstall such apps by first removing admin privileges via settings, but this app uses an unconventional method — registering as an Android receiver — to preserve its admin privileges,” the researchers warned.

“An Android receiver is an Android component that gets triggered in accordance with registered events and actions. In this case, it registers a receiver for an event titled, ‘DEVICE_ADMIN_DISABLED,’ which locks down the device for few seconds whenever the user tries to disable admin privileges.”

At the moment, the app only shows annoying ads (outside the app), but it can switch to downloading malware in a heartbeat. Also, there is no guarantee that some of the ads it shows aren’t malicious, as well.

Android malvertising

The number of users who downloaded the initial app is not big, but users are advised to protect themselves against this type of scheme by disabling auto-download in Android browsers, the download of apps from “Unknown Sources”, and generally to be critical when it comes to the permissions apps ask.

Users can’t count on website admins to protect them against this type of threat. In this particular case, the admins of GodLikeProductions also deleted forum messangers by users that warned about the drive-by download.