A new piece of Android malware is reportedly making the rounds in as many as 20 different countries, and if security firm FireEye is to be believed, it’s quite a nasty bit of code. The exploit, known as Kemoge, was spotted masquerading as a number of legitimate apps, but upon installation it attempts to gain root access on the device, which could allow an attacker to gain complete control. It sounds bad, but as usual, the truth is a bit less sensational than they’d have you believe.
Kemoge is a form of malicious adware, according to FireEye. It borrows the icons from other apps the encourage a user to trust it. The first hurdle for the malware authors to clear is actually getting users to install the app, which is only possible via a third-party app store. That means the user has to download the APK, allow unknown sources in the security settings, then launch the package. Not exactly an easy process.
The way Kemoge functions when deployed on a vulnerable device is actually pretty clever. It copies device information and beams it back to a command and control server first, then it starts inserting ads into the UI, which can pop up in any app or even on the home screen. So that’s annoying, but what it does next is downright malicious. Kemoge contains as many as eight exploits, which uses in an attempt to root the device. This could give the attacker full control over an infected phone. If the infected device is rooted, Kemoge immediately uninstalls any antivirus apps it finds. The exception would be Google Play Services, which runs Google’s antivirus scans. It’s impossible to remove Play Services from a device (even with root) if you still want anything to work.
Are you sufficiently frightened now? What’s described above is really the worst case scenario. The adware aspect of Kemoge should work on almost any device, assuming you go to the trouble of manually installing it. However, the root angle is much less certain. FireEye lists several of the root exploits contained in Kemoge, and they’re all quite old. There’s Motochopper, mempodroid, and a few general Linux kernel vulnerabilities. These are relics from the days when an APK could be used to root your phone. All modern versions of Android should be patched to protect against these flaws. Testing was done with a Nexus 7 running Android 4.3 (software from more than two years ago).
Root exploits are hard to develop on Android these days, but they aren’t always designed to bemalware. Many Android users want root access for their own use, and that’s where a lot of the exploits used by Kemoge come from — the enthusiast community. Many devices currently on the market don’t even have functional root exploits for people who want to root their phones, so it’s unlikely Kemoge has a magical unreleased exploit that can root your phone.
Bottom line — the old root methods employed by Kemoge don’t work on popular phones or people would be using them to intentionally root their devices. We’ve reached out to FireEye to get clarification on which versions of Android they’ve confirmed root access on and will update when and if they reply.
Your first line of defense from adware attacks like this is to simply get your apps from the Play Store or from a trusted source like F-Droid or APK Mirror. When you flip the unknown sources switch, you’re instantly less safe.
Update: FireEye got back to use and clarified all the exploits it detected in kemoge are public and several years old (2013 and earlier). They should be patched on all newer phones.