Kemoge is dangerous Android malware affecting over 20 countries. It was discovered by the researchers of FireEye Labs. According to them, it allows complete takeover of a user’s Android device. Originating in China, it got its name from the CnC server aps.kemoge.net.
Wide Range Of Infection.
So far it has infected 20 countries, which includes governments and large-scale industries. This malicious adware disguises itself as popular apps via repackaging, so it propagates widely. The following image shows its various repackaged versions.
The lifecycle of Kemoge.
The whole life cycle of Kemoge can be summarized as below.
|Image credits: Fireeye.com|
- Third Party App stores-Attacker uploads malicious apps to third party app stores and makes the target to download it.
- Local Info Collection/Ads-Once installed, the malware app collects device details and sends to CnC Server. In the meantime user gets lots of annoying ads.
- Rooting the Device-It has got as many as 8 exploits to try gain root access in the target device, targeting a wide range of device models. Once it roots the device it gains complete control of the device. Then it sends the data to CnC server and awaits further instruction.
Sophisticated Persistance and Evasion Technique
According to FireEye "After gaining root, it executes root.sh to obtain persistency. Afterwards, it implants the AndroidRTService.apk into /system partition as Launcher0928.apk -- the filename imitates the legit launcher system service. Moreover, the package name of this apk also looks like authentic services, To evade detection, it does not constantly communicate to the server. Instead, it only asks for commands on the first launch or after 24 hours from its last command. In each communication, it first posts the IMEI, IMSI, storage info, and installed app info to the remote server."
How to Be Safe..
FireEye Researchers Recommend the following tips to be protect yourself from Kemoge Malware.
- Never click on suspicious links from emails/SMS/websites/advertisements.
- Don’t install apps outside the official app store.
- Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.)
Detailed Analysis Of Kemoge Malware Can Be Read At FireEye Blog
News, Images Source : https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html