Security News > 2021 > November > Rooting malware discovered on Google Play, Samsung Galaxy Store
Researchers have discovered 19 mobile apps carrying rooting malware on official and third-party Android app stores, including Google Play and Samsung Galaxy Store.
"By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware - steps that would normally require user interaction. Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances."
"If the user tries to run the app, it will exit and open the legitimate settings app. The app itself does not contain any malicious functionality, which makes it harder to detect. Instead, it depends entirely on the files that its C2 server provides during execution," the researchers noted.
They believe the threat actor is a "Well-resourced group with financial motivation," since the trojanized apps used sophisticated evasion techniques and were disguised as utility apps and system tools to target a wide swath of Android users using Google Play, Amazon Appstore and Samsung Galaxy Store and lesser known app stores such as Aptoide and APKPure.
Finally, the permissions and capabilities the "Settings Storage" app gains are those other financially motivated threats usually take advantage of to intercept 2FA codes sent via SMS, overlay phishing screens over app windows, capture content shown on the device screen, interact with other apps, and so on.
"In an ideal scenario, the end user's device would have been protected by a mobile security solution with the detection efficacy to be able to prevent the malware from infecting the device. But in the case where a device has been rooted and perhaps additional malware installed, there are only a couple reasonable mitigations options," Stephen Banda, Senior Manager of Security Solutions at Lookout, told Help Net Security.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/fkSe55TpXgI/