A NEW ANDROID THREAT is downloading itself via advertisements on forums and is targeting users in the UK, US and France.
The app, which was identified by IT security company Zscaler on the conspiracy forum GodLike Productions, forms part of a malvertising campaign and begins as a malicious ad. It auto-downloads an Android APK to users who are accessing the forum website from their Android smartphones.
The app, dubbed Ks Clean, aims to fool users into thinking it is an Android cleaner app. However, only those users who manually launch the app to be installed are under threat.
Once the app is installed, a fake security update immediately pops up with no option for it to be cancelled or closed, leaving users no choice but to click 'Ok' to dismiss the message. However, this immediately triggers a download of a second app which is called 'update', that then asks for admin rights during its installation process.
Once the second app gains admin rights, it becomes impossible to remove from the device. The ‘uninstall' option, becomes disabled by default because users cannot remove apps with admin rights.
Zscaler said that the way around this would normally be to uninstall apps by removing admin privileges via settings. However, the app uses the unconventional method of registering as an Android receiver to preserve its admin privileges.
An Android receiver gets triggered in accordance with registered events and actions. In this case, those who developed the app have ensured that the device is locked down for a few seconds whenever the user tried to disable admin privileges.
The app continues to then show the device owner advertisements even when the user is using other apps.
The researchers said they've tracked over 300 downloads of the first app in the past two weeks, with the most affected countries being the UK, US and France. They also claim that the forum administrators ignored and deleted topics about the apps forcibly being downloaded onto their devices.
Zscaler said that Android users should safeguard themselves from this threat by not clicking on unknown links, disabling unknown sources and disabling auto-download in Android browsers. µ
Malwarebytes uncovers new 'Diablo' and 'Lukitus' variants
Firm responsible says ballsup had 'no impact' on the results of any election
Coming soon to a PC near you. Sick bags not provided, sadly
Smartwatch will make its debut alongside the iPhone 8