FireEye Reveals New Android Malvertising Threat

A new Android malvertising threat called Kemoge is infecting users in 20 countries. The adware has roots in China, but isn't necessarily nation-state backed.

Kemoge malvertising

Security firm FireEye today is reporting on a new malicious adware attack called Kemoge that is already affecting Android users around the world. While the full impact of Kemoge has yet to be quantified, FireEye warns that it's non-trivial.

"The samples we obtained are collected from our customers, so it's inconvenient to disclose the infection rate," FireEye research scientist Yulong Zhang told eWEEK. "We don't have the exact infection number in the wild, but based on the fact that customers from over 20 countries have been infected, the infection range should be quite large."

The way that Kemoge works is an infected app is loaded into an app store and is promoted across the Web by way of various in-app ads as well as Web ads. Once a Kemoge-infected app is on a user's Android device, the malware is able to potentially take full control by way of up to eight different exploits to get root access. Once root access is gained, an infected device then contacts the command and control service for instructions.

The malicious Kemoge apps are largely found on third-party Android app stores, but that's not always the case.

"So far, we only observed one app on Google Play signed by the same certificate signing one of the Kemoge samples," Zhang said. "This app stripped the Kemoge's malicious component but could still potentially promote malicious versions."

Zhang added that Google immediately took down the Kemoge app when FireEye notified them of the issues. He noted that FireEye didn't find any other Kemoge samples on Google Play.

Typically, in a malware installation case, the users will need to perform an action (such as a click to approve) before an app is installed. That said, Zhang noted that there are vulnerabilities for old versions of Android that enable silent installation without user interaction.

"If you use non-jailbroken, fully updated Android devices without clicking any ad, you are at least immune to known exploits," Zhang said. "Those zero-day exploits that haven't been disclosed can still make it through to compromise the phone."

Although it's mostly apps from third-party app stores that place users at risk, Google also has an effort called Verify Apps that works to help secure users for non-Google Play downloaded apps.

"Google can flag known malware, but is not good at detecting unknown threats," Zhang said. "But Google acts promptly by taking down the suspicious app per our notification. In this sense, Google has done a good job in protecting users."

FireEye's research indicates that the Kemoge malware originates in China, but that doesn't mean it's nation-state backed. "So far, we have no evidence proving that the attack is related to Chinese government," Zhang said. "We did notice that there have been quite a few such kind of worldwide malicious mobile campaigns originated from China. We will keep the investigations and try to see if there's a common threat actor behind these campaigns."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.