Posted on June 8, 2017 at 11:58 AM
A new malvertising campaign was recently detected on a popular forum. After further investigation, Zscaler’s researchers have discovered that the campaign is downloading an app on the Android devices by force. That app is later used for installing another app, which has much more developed intrusive features, and it’s almost impossible to remove it. The only secure way of dealing with them is flashing the users’ devices.
The campaign was spotted because of its use of malicious ads, that are being delivered to the users’ devices on the GodLike Productions forum. This forum is also known for being among Alexa’s Top 11K most popular sites.
Researchers claim that the ads displayed on the forum are capable of forcefully downloading an Android APK on all the phones used for accessing this website.
Usually, this wouldn’t be much of an issue, since users must launch the app manually in order to get it to install. However, this isn’t something that’s known to many people, and most of those who got their phones infected simply clicked on the new app to see what it’s all about.
The name of the malicious app is KS Clean. The app is trying to make itself look like a cleaner app for Android, and it’s installation triggers pop-ups that act as security updates. There’s no ‘close’ or ‘cancel’ button in sight, and the only thing that users can do is hit OK in order to dismiss the pop-ups. Doing so will result in an immediate download and installation of another app that’s only known as ‘update’.
During the installation, the ‘update’ asks for admin rights, and once it gains them, according to experts, it uses them to display ads on the phone’s screen.
Also if the users were to find the source of the ads, and discover that they’re coming from the ‘update’, they would soon discover that they can’t uninstall the app.
If they wanted to uninstall it, they would first have to take away the app’s admin rights. The creators of the app predicted that, and they used a programming trick that makes doing that impossible. Basically, every time when the user attempts to take away the admin rights from the app, it would freeze the phone for a few seconds.
According to the researchers, there have been around 300 downloads of the first app in the previous two weeks. Most of the affected users are from France, the US, or the UK. Furthermore, it would appear that the forum’s administrators have ignored or deleted the topics that mention anything about this attack.
Researchers say that the only thing that can be done now is to disable the auto-download option that can be found in the mobile browsers. Also, in the Security settings on the phones, users should turn off the Unknown Sources option. That option is usually disabled by default, but it’s possible that some users have turned it on for whatever reason. If not disabled, the option might allow apps from outside of the Play Store to get downloaded and maybe even installed, so be sure to turn it off right now.