Malicious battery-saving app infects 60,000 devices to steal text messages, read sensitive log data

• Adware has infected 60,000 Android devices.
• Malware drops data-stealing backdoor.
• Adware can steal SMS messages, internet data and gain full network access.

Over 60,000 Android devices have been infected by a malicious Android app that drops an ad-click malware and steals data. The malicious app manages to gain access to a victim’s devices via an online pop-up ad that claims their device’s battery is failing due to certain issues.

According to security researchers at RiskIQ, who discovered the new scam campaign, the malicious ad, if clicked on, redirects victims to a Google Play page that promotes a battery-saving app. If downloaded and granted permissions, the app can perform a slew of nefarious activities from harvesting data to modifying system settings.

Interestingly, the pop-up message is delivered only after the adware checks for the device’s language, researchers said. The adware can also check for the device’s brand and model to deliver a more customised pop-up message.

“The pop-up text is customized towards the visitor’s device by parsing the user-agent server-side and embedding the processed brand and model information in the script that renders the pop-up. In this instance, the pop-up identified the user device as a Samsung SM-G925A,” RiskIQ researchers wrote in a blog.

From battery-saving to data-harvesting

If granted the necessary permissions, the malicious app can read sensitive log data, receive SMS messages and internet data, pair with Bluetooth devices, gain full network access, modify system settings and more.

According to researchers, the app does actually perform the functions that it advertises such as reducing battery strain, monitoring battery status and killing processes that use up a lot of battery resources during low charge. However, victims also get an ad-clicking backdoor thrown in as a bonus.

Although the backdoor may seem benign, it is capable of stealing a variety of information, including phone numbers, phone type, IMEI number, phone model, brand, location and more.

The fact that the campaign has already infected 60,000 Android devices indicates how simple it is for attackers to lure victims into clicking on malicious ads. The campaign also indicates how even hackers with low-level skills constantly experiment with new tools and techniques to expand their attack vector.

Gotta catch ‘em all

Researchers also noted that users are taken to the Google Play page regardless of whether they identified as a desktop or mobile user.

“We are taken to the Google Play page regardless of whether the code identifies us as a mobile or desktop user-agent, a catch-all approach which could suggest that a relatively unsophisticated group is behind the scam page,” RiskIQ researchers said.

“It appears that most of the effort here went into making the mobile app while the page that redirects to it seems to be relatively low-effort,” the researchers added. “The lack of attention to detail on the redirector pages could signify that the group is less concerned with them than they are with the app itself, or that one group is creating the redirector pages while another is responsible for the mobile part of the campaign.”