Researchers at security firm FireEye have revealed an emerging strain of Android malware originating from a China-based mobile company that is quickly spreading worldwide.
The malware, which is said to have infected 20 different versions of Android from 2.3.4 to 5.1.1, reportedly originates from a company named NGE Mobi/Xinyinhe and can be used to allow complete control of a device.
FireEye, which started to monitor this malware family in August, reported that the number of infected devices is still increasing with 308 different phone models from more than 26 countries across four continents already infected.
The attack uses a number of techniques to install malware on Android devices, according to researchers Yulong Zhang, Zhaofeng Chen and Yong Kang.
“The malicious adware uses novel techniques to maintain persistence and obfuscate its activity, including installing system level services, modifying the recovery script executed on boot, and even tricking the user into enabling automatic app installation,” they wrote in a blog post.
The evidence suggests that attackers are repackaging popular Android applications to inject malicious components, and FireEye reports it has observed over 300 malicious, illegitimate versions of the Android apps being distributed, including Amazon, Flashlight, Memory Booster and Clean Master.
“After propagating to the victim’s phone, the malware unpacks and releases the malicious payload along with the normal components of the repackaged app. Now that the app has full control of the phone, it can use the victim’s phone for any purpose,” warn the researchers.
“The app never mounts the /system back to read-only, and allows anyone to invoke its root backdoor to obtain root privilege. Any other attackers landing on the same victim phone can control or make permanent damages to the phone.
“All communications use HTTP, so anyone can hijack the connection and take over the control of this large botnet.”
FireEye researchers also listed further background information on the Chinese firm said to be behind the attacks, claiming that it is using the malware for nefarious purposes.
“NGE Mobi is able to ‘guarantee’ downloads of the apps it gets paid to promote. They also generate ad revenue by serving ads via full control of a victim’s device,” the researchers state.
By analysing NGE Mobi’s background, the FireEye team came to the conclusion that it has used the malicious techniques to further its business aims.
“It appears that the company spent lots of effort and resources on marketing and promotion, explaining why the infection is so global. Consequently, the large number of infected phones is also helping the company grow,” the team reports.
“This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organisation.”
In order to prevent further attacks, FireEye advises that users keep their devices fully updated, not to click on suspicious links and not to install applications from untrusted sources.