“Godless” apps, some found in Google Play, can root 90% of Android phones

A family of mobile malware called "Godless" has affected over 850,000 Android devices worldwide with almost half of these devices in India alone, a new report said on Thursday.

Based on the data collected from cyber-security firm Trend Micro's "Mobile App Reputation Service", malicious apps related to "Godless" are found in prominent app stores, including Google Play.

"Godless" hides inside an app and exploits the root of the operating system (OS) on your phone. This creates admin access to a device, allowing unauthorised apps to be installed.

"It contains various exploits to ensure it can root a device and it can even install spyware," the report warned.

By having multiple exploits to use, 'Godless' can target virtually any Android device running on Android 5.1 (Lollipop) or earlier.

Almost 90 percent of Android devices globally currently run on affected versions, the company claimed.

Once the malware has finished its rooting, it can be tricky to uninstall.

"When downloading apps, users should always review the developer. Unknown developers with very little or no background information may be the source of these malicious apps.Users should also have secure mobile security that can mitigate mobile malware.

Country Manager, (India and SAARC), Trend Micro.In a recently published blog post, antivirus provider Trend Micro said that Godless, as the malware family has been dubbed, contains a collection of rooting exploits that works against virtually any device running Android 5.1 or earlier. That accounts for an estimated 90 percent of all Android devices. Members of the family have been found in a variety of app stores, including Google Play, and have been installed on more than 850,000 devices worldwide. Godless has struck hardest at users in India, Indonesia, and Thailand, but so far less than 2 percent of those infected are in the US.
Once an app with the malicious code is installed, it has the ability to pull from a vast repository of exploits to root the particular device it's running on. In that respect, the app functions something like the many availableexploit kits that cause hacked websites to identify specific vulnerabilities in individual visitors' browsers and serve drive-by exploits. Trend Micro Mobile Threats Analyst Veo Zhang wrote:
Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework calledandroid-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community.
In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.
The first Godless apps stored the rooting exploits in a binary file called libgodlikelib.so directly on an infected device. Once an app is installed, it waits for the device screen to turn off and then proceeds with its rooting routine. After it successfully roots the device, it installs an app with all-powerful system privileges so it can't be easily be removed. The earlier apps also install a system app that implements a standalone Google Play client that automatically downloads and installs apps. The client can also leave feedback in Google Play to fraudulently improve certain apps’ rankings.
More recent Godless apps download the rooting exploit and payload from the server located at hxxp://market[.]moboplay[.]com/softs[.]ashx, most likely so that the malware can bypass security checks done by Google Play and other app stores. The later variants also install a backdoor with r