Skip to main content

90 per cent of Android devices vulnerable to new 'Godless' malware

When we take a look at the Android distribution updates that Google posts every month one thing seems to never change, and that is the overwhelming number of devices that run an outdated version of the operating system.

As of early-June 2016, nearly 90 per cent of the handsets with Google Play access are rocking Lollipop, Jelly Bean or another old distribution. Meanwhile, Marshmallow powers only 10.1 per cent of Android devices.

And, as Trend Micro security researchers point out, that can be a serious problem in terms of security as there is a new family of malware, known as Godless, that affects "virtually any Android device running on Android 5.1 (Lollipop) or earlier". Using Google's figures, that's 89.9 per cent of the Android handsets in use. What's really worrying is that this malware is actually linked to apps available in major app stores, like Google's Play, and it has already made 850,000 victims across the globe.

Godless is designed to exploit root vulnerabilities, which allow it to take control of the device using elevated permissions. Android enthusiasts commonly know this as rooting, a technique which is mainly used to be able to install some apps that need high-level permissions or gain access to certain restricted functions. Basically, a rooted device puts the user in control of pretty much everything.

When an app roots your device, which is what Godless does, it is the one that takes control. This is the scary scenario, and here is why. The inexperienced user is unlikely to figure out that something is wrong, but the malware's creators can send remote instructions to download apps and install them silently in the background, among other things.

"This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users", Trend Micro points out. Based on my experience with rooting Android, I suspect that it is possible to do some physical damage to the device too, though that would make Godless less lucrative over time.

Godless is cleverly designed as, after the necessary files are downloaded, it triggers the rooting process only when the screen is turned off, hiding its actions from the user. The malware itself is then turned into a system app, which can be tricky to remove by someone with no experience.

The user has to download some apps beforehand for the malware to take control of their device, but knowing just how easy it can be to convince someone to do that I am not surprised that it already affects 850,000 handsets. The payload can steal your Google account credentials, so that it can download and install apps from Google Play. To do that, it "implements a standalone Google Play client". This can also be used to improve an app's ranking in the app store.

There is, however, a newer version of Godless which downloads the exploit and payload using a remote command and control server so that it can silently install apps. Trend Micro suspects that this allows it to bypass security checks made by app stores.

Godless can be found in various apps, with Trend Micro discovering such code in utility apps and game copies. A given example is that of a flashlight app on Google Play called Summer Flashlight, by Crazy WiFi Team. But there are also "clean" apps that can feed Godless to unsuspecting users, which "share the same developer certificate" - though at this time Trend Micro says that this might be possible only through a future upgrade - that likely bypasses Google Play, against its terms and conditions.

Because of how this malware is designed it can be very tricky to remove it. Trend Micro has not offered a fix, which leads me to believe that affected users will have to wipe their device and re-flash the firmware. Also, changing the password of the Google account used while the device was infected is obviously recommended.

Photo Credit: fatmawati achmad zaenuri/Shutterstock