Researchers believe malicious Android app written in code may be a first
Researchers believe malicious Android app written in code may be a first

Researchers have discovered a fake utility app called Swift Cleaner that they believe may be the first Android mobile malware developed using the open-source Kotlin programming language.

Found on Google Play, the malware was disguised as a tool called Swift Cleaner that has been installed between 1,000 and 5,000 times, according to a 9 January blog post from Trend Micro. The fake app purports to perform such helpful tasks as system and cache cleaning and memory optimisation, but in truth it is capable of malicious remote command execution, information theft, unauthorised SMS sending and URL forwarding, and click/ad fraud. It also signs up unwitting users for premium SMS subscription services, without permission.

Lorin Wu, a mobile threats analyst with Trend Micro, reports in the blog post that Google was notified of the threat, and responded by verifying that Google Play Protect has safeguards in place to protect users from the malware family in question. Wu did not indicate, however, if the app itself was removed from the store. SC Media has reached out to both Trend Micro and Google for further elaboration.

In May 2017, Google essentially endorsed Kotlin for Android development purposes by announcing first-class support for the programming language. The official Kotlin website describes Kotlin as a statically typed programming language that is fully compatible with Java and Android and can be used to build apps for across multiple platforms. Its advantages, according to the site, include the reduction of boilerplate code, minimisation of errors, interoperability across existing libraries, and its tool-friendly nature. However, Wu says it is unclear how these features might benefit a bad actor when developing new malware.

When launched, the Swift Cleaner malware sends the infected device's information to a remote command-and-control server. The C&C server sends back various tasks requests, as well as a specific number to which the malware sends an unauthorised SMS message. At this point URL forwarding and click/ad fraud is enabled.

Wu continues: “In its [click/ad] fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task... After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions... This will allow the malicious actor to parse the ads' HTML code in a specific search string. Subsequently, it will silently open the device's mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.”

The blog post further reports that the malware can upload users' service provider information, login information and CAPTCHA images to the C&C server, which uses this data to create an unauthorised premium SMS service subscription.