Android malware can root devices and install code

Trend Micro has discovered a new breed of Android malware called ‘Godless’. Godless carries certain exploits that allow it to root a device and install spyware. A newer variant would also be able to bypass Google Play security checks.

According to the security company, the malware targets Android versions 5.1 and older, meaning that about 90 percent of Android devices are still vulnerable to Godless. At the time Trend Micro published its blog, some 850,000 devices worldwide are believed to be infected, with the majority in India at about 46 percent, followed by Indonesia in second place with over 10 percent infections.

Godless, or actually androidos_godless.hrx as the security company detects it, uses a framework to root Android, android-rooting-tools. That rootkit uses several well-known exploits, such as the PingPongRoot and Towelroot exploits, and also appears in certain safe-looking apps in the Google Play Store, such as flashlight applications and Wi-Fi apps. The criminals also abuse popular games by putting copies of malware in the store.

What Trend Micro has also found is that there are normal, clean apps in the store that also have malicious versions of them outside the Play Store with the same developer certificate. For example, it can happen that a user upgrades a normal, safe app to an app with malicious code, provided the user downloads an ‘update’ outside the Play Store. The security company rightly notes that it is not wise to install apps from outside the Play Store. By default, this function is often turned off on Android devices.