Do you remember the first time you started getting random popups on your computer? That turned out to be spyware, requiring you to start running programs like Webroot and MalwareBytes to fix it. Now the same thing can happen to your mobile phone.
Who identified this new virus and how is it installed onto mobile devices?
Kaspersky Lab experts recently detected an unusual new Trojan being downloaded through the Google Play Store. According to a report published in The Register, this virus, which hid inside several games in Google Play for months and was installed by Android users over 50,000 times, “installs its malicious modules while also injecting hostile code into the system runtime libraries”.
The goal of this virus seems to have been to enable the installation of apps with root level permissions from third party stores. The Trojan is capable not only of obtaining root access rights on an Android smartphone, it can also take control of the device by injecting malicious code into the system library. This virus is also capable of serving ads and executing downloaded files delivered from a remote server.
Is the sensitive data stored on my phone in jeopardy?
According to Kaspersky, “The introduction of code injection capability is a dangerous new development in mobile malware. Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won’t spot the presence of the malware.”
How does this malware work?
The Trojan installs itself onto a victim device in two stages. During the initial phase, the malware tries to gain root rights on the device. If successful, it installs many tools, some of which carry comments in the Chinese language. During the period of investigation, the malware did not receive any commands in return which has given experts an indication that this version is in an early testing phase.
In the main phase of infection, the Trojan launches a “start” file, checks the version of Android installed and decides which library to inject its code into. Then it overwrites the existing code with malicious code, which can cause the infected device to crash.
How do I know if my device has been infected?
Kaspersky Labs first encountered the Trojan back in April and reported it to Google, who subsequently removed it from the Play Store. The most obvious sign that you downloaded this virus is if you start receiving popups during tasks like video calls or phone calls. While all the apps carrying the virus were not named, Kaspersky recommends that if you use an Android device and have downloaded a game in the last few months that has been removed from Google Play, you should perform a data backup and factory reset as soon as possible.