Godless, an emerging mobile malware threat capable of rooting Android phones, has started to adopt the traits of an exploit kit, in that it searches for multiple vulnerabilities through which it can automatically infect a victim. Once it successfully executes, the malware gains root access to the device, granting it full control.
Christopher Budd, global threats communications manager at Trend Micro, told SCMagazine.com in an interview that Godless is ostensibly an “encyclopedia of known, good attacks against various vulnerabilities… It's loading up on attacks and using whatever will work, similar to what we see with exploit kits on the PC side. And it's consistent with an overall macro trend over the years, where [threats] have migrated from desktop side over to the mobile side.”
In a blog post yesterday, Trend Micro warned that the abuse of numerous exploits gives the sacrilegious-sounding malware a broader target range, making it effective against any Android device running on version 5.1 (Lollipop) or earlier. That's nearly 90 percent of Android devices in use today, which Budd said is on the “high end” in terms of infection coverage, compared to other Android threats.
“The people behind it are taking a page out of the book of exploit kit writers in that they are focused on building a sustainable attack framework that you can continue to evolve,” Budd continued. “Before exploit kits, people would target one or two specific vulnerabilities with their malware and they would have to code that up. But with exploit kits you don' t have to figure out how to attack each vulnerability. You just buy the exploit kit and because you have people maintaining those exploit kits as professional products, they just keep adding to it.”
According to Trend Micro's Mobile App Reputation Service, the malware has affected more than 850,000 devices worldwide with devices in India disproportionately affected. Research shows that India is home to 46.19 percent of devices impacted by Godless, followed by Indonesia (10.27 percent) and Thailand (9.47 percent). Only 1.51 percent of infected devices are in the US.
Although Godless scans for numerous vulnerabilities, the two most significant exploits are designated CVE-2015-3636 and CVE-2014-3153, which are susceptible to exploits called PingPongRoot and Towelroot, respectively. Based on its observations, Trend Micro reported that once the malware attains root privilege, it receives instructions for secretly downloading and installing malicious apps via backdoors or stolen Google Play credentials. These apps typically deliver unwanted advertisements.
Godless also has the capability to spy on users, Trend Micro noted.
The malware has already been found in several malicious apps sold by third-party online stores. One especially sneaky variant doesn't even contain the exploit in its coding; rather, it is programmed to wait until the first app update to pull the exploit and the malicious payload from a command-and-control server. This allows the attackers to sneak infected Android apps into the official Google Play store without being detected. Indeed, Trend Micro has found this variant of Godless in various utilities and gaming apps available in the Google Play store, including a flashlight app named "Summer Flashlight."
“I think it's reasonable to suppose that moving forward, mobile malware authors are going to look at this and learn from it, and so it is unlikely this will be the last time we talk about mobile malware attacks that look like they have exploit kit capabilities,” said Budd.