A brand new battery-saving application has been downloaded by more than 60,000 Android devices so far. However, this app also enables attackers to spy on the infected devices, for example, to snatch text messages or read other sensitive log data.
Researchers at RiskIQ discovered this malicious application and noted that it actually monitor devices’ battery status and kills unnecessary background processes and tasks in order to save users’ battery.
A threat expert at RiskQ, Yonathan Klijnsma, recently released the report on the malicious application.
Although the app these scam pages send users to does its advertised function, it also has a nasty secret—it infects victims’ devices and comes with a side of information-stealing and ad-clicking.
The expert also mentioned that even the complaint has been submitted for take-down, the malicious app is still available on the official Google Play app store.
Users are attacked while they are browsing the Internet, and it starts with a false warning. These false pop-up’s texts are customized around the users’ devices.
Even though most of the scams redirect users to third-parties’ web pages, this particular message led victims to the Google Play app store, where they can download the malicious app.
It is worth mentioning that this pop-up aggressively pushes users to download the malicious app, so even if users press “Cancel” the pop-up will take them to Google Play. In addition, if users press the back button, it leads to another pop-up message which notifies them about a slow desktop and warns that the desktop will remain slow.
If the user downloads this malicious battery-saving application, it requests access to its privacy permissions, including sensitive log data, text messages, full network access, and pairing with Bluetooth.
The information from the device is taken through a small ad-clicking backdoor, so attackers can also access IMEI number or location.
According to the researchers, the command and control or C2 server is assigned incremental ID numbers to bots: “Based on those ID numbers, we can say with high certainty that the bot has had at least 60,000 android devices under its control.”
Surprisingly, the malicious battery-saving application actually does its’ job and perform its’ legitimate features.
According to Yonathan Klijnsma,
Sometimes popular apps are bought out and then modified. I feel like that might have been the case here: Criminals buy the source code for an app or get a freelancer to build it, and then add your own malicious code.
The researchers also noted that there are probably multiple possible attackers to be concerned with.