We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets. By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90% of Android devices run on affected versions. Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.
Figure 1. Global distribution of affected devices
Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community.
In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.
Rooting Goes From Local to Remote
We have seen the evolution of this family. In earlier Godless versions, malicious apps contain a local exploit binary called libgodlikelib.so , which uses exploit code from android-rooting-tools.
Figure 2. android-rooting-tools exploits found in libgodlike.so
Once a user downloads these malicious apps, the malware waits until the affected device’s screen is turned off before proceeds with its rooting routine.
Figure 3. Exploit initiating as screen is turned off
After it successfully roots the device, it then drops a payload as a system app that cannot easily be removed. The payload is an AES-encrypted file called __image.
Figure 4. Payload drop routine
Recently, we came across a new Godless variant that is made to only fetch the exploit and the payload from a remote command and control (C&C) server, hxxp://market[.]moboplay[.]com/softs[.]ashx. We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play.
Figure 5. Downloading exploit from C&C server
We found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games. For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code:
Figure 6. Sample of malicious app
We have also seen a large amount of clean apps on Google Play that has corresponding malicious versions—they share the same developer certificate—in the wild. The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior. Note that updating apps outside of Google Play is a violation of the store’s terms and conditions.
Figure 7. Clean and malicious versions from the same author
Earlier Godless variants drop a system app that implements a standalone Google Play client. This payload steals affected Google credentials in order to download and install apps from the said app store. Users may then receive unwanted apps “promoted” by the payload. Another purpose of this routine is to fraudulently improve certain apps’ Google Play ranking.
As for the latest variant (which remotely fetches the payload), currently, the attack installs a backdoor with root access in order to silently install apps on affected devices.
There is absolutely nothing wrong with rooting one’s mobile device. It can have several benefits in terms automation, performance, and basically getting the most out of a device. But when a malware roots a phone without a one’s knowledge, that’s where the fun stops.
When downloading apps, regardless if it’s a utility tool or a popular game, users should always review the developer. Unknown developers with very little or no background information may be the source of these malicious apps. And as a general rule, it is always best to download apps from trusted stores such as Google Play and Amazon.
The SHA1 hashes related to this threat can be found in this appendix. We have also informed Google about the related apps found in their store and they have taken appropriate action.