FireEye has recently discovered a rapidly spreading malicious adware family that allows for complete takeover of an Android user’s device. This attack is created by a mobile app promotion company called NGE Mobi/Xinyinhe that claims to be valued at more than $100 million, with offices in China and Singapore.
This malicious adware uses novel techniques to maintain persistence and obfuscate its activity, including installing system-level services, modifying the recovery script executed on boot, and even tricking the user into enabling automatic app installation.
The distribution of over 300 malicious, illegitimate versions of Android apps have been observed, including Amazon, Memory Booster, Clean Master, PopBird, YTD Video Downloader, and Flashlight. So far, the infection range is wide, with victims from more than 26 countries across four continents having been infected. The malicious adware has infected 20 different versions of Android, from 2.3.4 to 5.1.1. This covers almost all versions of Android.
The attackers repackage popular apps and inject malicious logic and ad components into the apps. After spreading to the victim’s phone, the malware unpacks itself and releases the malicious payload, along with the normal components of the repackaged app. Once the app has full control of the phone, it can use the victim’s phone for any purpose. The app allows anyone to invoke its root backdoor to obtain root privilege. Any other attackers targeting the same phone can control or inflict permanent damage to the phone.
FireEye’s investigation shows that the samples have been propagated via numerous channels. The major channel is through the giant ad cooperative network that Xinyinhe participates in (ad vendors in the network promote services and products for each other). A few posts on popular social networks such as Facebook and Twitter have also been witnessed. Upon closer analysis of the attack, the code was discovered to be in simplified Chinese characters, thereby suggesting the role of a Chinese entity.
This is a worldwide attack with a high threat, likely controlled by a Chinese organisation. To safeguard themselves, users are advised to never click on suspicious links from emails/SMS/websites/advertisements, or install apps outside the official app store. Keeping Android devices constantly upgraded will provide some security as well. It is also possible that any affected user may have inadvertently compromised their user credentials for some online services. It is recommended that those users change their passwords for any online services such as iTunes, online banking, email, and work accounts.