Whose phone is in your pocket?
In later April 2015, we discovered an Android malware that used for installing a backdoor with root privileges on the devices. This malware is popular in Russia, India, Ukraine, Algeria, but the spread is not limited to this countries. Our research has revealed infection cases all over the world. The malware is distributed via popular third-party stores and was available for download on Google Play from May 22, 2015 to June 9, 2015 (100 000 – 500 000 installs). “Rooting” performed using pack of techniques adopted from popular “One-Click Rooting” apps and from open sources (GitHub, etc.). This is a rare case in the world of the Android malware – most in the wild Trojans use existing root access, because of the complexity of creating stable universal method of gaining root privileges on a wide range of devices. Further investigations revealed a fact of installing on an infected device even more advanced threat (not to mention ordinary downloaders and adware apps) – a plugin-driven backdoor with ability to inject arbitrary modules in existing apps via Zygote, which is a parent process for all android application processes. Thus, the malware is gaining ability to perform complex attacks on a wide range of applications, e.g. placing hooks on core android API functions inside banking apps. In fact, such capabilities make detection and uninstallation of this malware very difficult, and providing it with almost full control of the device. Thereby cybercriminals gain great abilities to deploy different botnet schemes consisting of numerous infected Android devices.