‘Godless’ Malware Brings Exploit Kit Finesse To Android

The malware’s multiple exploits allow it to target 90 percent of current Android devices, researchers say

A new form of smartphone malware found on Google Play and elsewhere is capable of infecting the vast majority of Android devices currently in use, and has already affected hundreds of thousands of systems, according to computer security researchers.

The malware family, called Godless, can affect a broad range of devices because it uses several different attack techniques depending on the system targeted, said Trend Micro.


Mobile-malware-virus-security-Shutterstock-Julien-TromeurThe discovery indicates a growing sophistication on the part of mobile malware makers, according to Trend.

Exploit kits taking advantage of many different vulnerabilities are common in the PC world, but the approach is new to mobile malware, Trend said.

“Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools,” said Trend Mobile Threats Analyst Veo Zhang in an advisory. “Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90 percent of Android devices run on affected versions.”

The exploit framework targets two widespread Android vulnerabilities, designated CVE-2015-3636 and CVE-2014-3153, as well as a number of less significant bugs, Zhang wrote.

Malicious applications using Godless have made their way into “prominent” app stores including Google Play, and have infected 850,000 devices internationally, with more than 46 percent of the infections in India, Trend said.


AndroidOnce it takes over a device, gaining root (or administrator) privileges, the malware installs its own advert-displaying applications and may install backdoors that can be used to spy on users according to Trend, which said the malicious payload, once installed, is difficult to remove.

The malware also attempts to fraudulently improve app rankings on Google Play, according to the firm.

Earlier versions of the malware contained the unwanted applications and other malicious code within a local file, but a newer variant fetches the payload from a remote server, which may help the malware evade security controls on app stores, according to Trend.

“The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games,” wrote Zhang. He said one example was a flashlight app in Google Play called “Summer Flashlight”.

The firm said it has also discovered a large number of malicious applications that duplicate “clean” apps found on app stores, using the same developer certificate. That means a user could be infected if they update a non-malicious app via an untrustworthy source, Trend said.

Trend recommended users install apps only from well-known sources such as Amazon and Google Play, and that they use an up-to-date security tool.

Quiz: Have you been paying attention to security in 2016?