A battery-saving application allows the attackers to snatch text messages and read the sensitive log data that has been downloaded by more than 60,000 Android devices.
According to the researchers at Risk IQ, it holds true to its marketing: in fact, it monitors devices battery status by killing unwanted background processes.
Recently, Yonathan Klijnsma, one of the threat researchers at Risk IQ, said in a post, that although the application send users scam pages only to does its advertised function, but it also has a malicious secret it fully infects the victim’s devices and comes with a side of information-stealing and ad-clicking options.
Yonathan Klijnsma also told in the post that after a complaint was filed for take-down, the application which is called as Advanced Battery Saver and has been taken down by the Google Play.
The attack will start off with a false warning message which appears on the Android users devices while anyone browses the web.
Yonathan Klijnsma said that arise text is customized around the victim’s device by parsing the user-agent server-side and also embedding the processed model information and brand in the script behind the pop-up’s.
While most of the scams lead the victims to some other web pages, researchers were very surprised to discover that this scrupulous message led them to the Google Play, where they were and then easily served a malicious app.
The pop-up will heavily push the victims to do its bidding; even when they click on the cancel option instead of the install option, and will take them directly to the Google Play Store application; and, if the user presses the back button on the page, then another pop-up warning message appears which shows that their desktop will stay slow.
However, when the victim goes to the app store and downloads the battery-saving app, then it requests for the access to a range of privacy permissions, including reading sensitive log data, receiving data from the internet, receiving text messages, pairing with Bluetooth devices and the full network access.
Some of the mobile applications also come with a small ad-clicking backdoor which steals the information from the user’s phone like as International Mobile Equipment Identity (IMEI), location, and phone numbers
The researchers were easily able to examine the command and control traffic and also observed that the C2 server assigned the incremental ID numbers to the bots; that is based on those ID numbers, which are with high certainty, that the bot has had almost 60,000 android devices under its own control.
Amusingly, the application does, in fact, perform the legitimate functions which are already mentioned, including some reducing battery damage to extend the battery life of the device, and also monitoring the status of batteries and killing off a process which uses the battery resources when the battery is low.
Klijnsma explained that sometimes popular applications are bought out and then automatically modified feel. Criminals easily buy the source code for an application or easily get a freelancer to build it, and then add their own malicious code.
Google Play has a list of details about the developers, so the Klijnsma was able to track down some clues about the app developer by using their email address listed. The email used to have some another application in the Google Play store, which has been taken down. There might be more than one attacker at play.
Klijnsma said that it appears that the majority of the effort here went into making the mobile application, while some page that will redirect to it seems to be comparatively with low-effort. The lack of thought to detail on the redirector pages might signify that the group is less worried about them than they are with the application itself, or that one of the group is creating the redirector pages while some of them are responsible for the mobile division of the campaign.