Adware or advertising-supported software is used by developers to generate revenue by launching on-screen ads. Adware is usually accompanied by other malware scripts to employ other malicious activities in the device. According to Kaspersky, about 14.8% of the Android users infected by malware or adware were left with undeletable files. The malware infection includes affecting system partition by injecting trojans which can install apps without the user’s knowledge and less threatening but intrusive adware apps.
An Overview
Procuring a large amount of revenue through advertisements is what keeps the internet free around the globe. Nevertheless, this service is exploited by various cyber crooks to gather more revenue. Adware continually deploys ads which creates nuisance and also drains battery and increase network traffic. On top of it, adware allows attackers to spy on the host systems by injecting other malware.
The Android victims of cyber attacks witnessed that they could not remove the adware from their Android devices even after installing a legit security solution. The malware viruses somehow incorporate themselves in the system firmware and security solutions can not access system directories and therefore, fail to remove the malicious files.
Threat actors infect the devices in two ways: one by installing adware by gaining root access or by deploying the code for displaying ads in the firmware of the device even before it gets in the hands of the customer. The latter scenario is seen in low-cost devices which renders the device inoperable if any anti-virus tries to remove the malware from the system firmware. The adware is pre-installed in low-cost devices letting the manufacturers (like Meizu, according to Kaspersky) make more profit.
It may be enticing to buy a less-expensive Android device, but pre-installed adware can even let threat actors gain remote access of the android devices.
Malware and Adware
The Lezok and Triada Trojans
Kaspersky tracked two malware threats which were installed in the system partition of Android smartphones: The Lezok and Triada trojans.
Triada trojan injects an ad code in the key library which almost every app uses- libandroid_runtime. Moreover, other trojan scripts were also seen tampering with the system’s security.
For instance, the Agent trojan obfuscates itself inside an app which manages the graphical interface of the system or in the Settings utility. The target utilities are essential for a device to operate properly. Therefore, the trojan can deliver its payload which enables it to download and run other malicious files on the device.
The other dumped trojan is Sivu, which impersonates as an HTMLViewer app. Kaspersky says, that the malware contains a couple of modules. The first module is used to launch ads on top of other applications and the second one leverages the root permissions to install, uninstall and run applications according to the hackers.
Plague Adware App
It’s another malware traced by Kaspersky which pretends to be a legitimate app (Android Services), installing itself in the system partition. It can download and install apps in the background behind the user’s back.
Necro.d Trojan
The Trojan hides in the system library, but its launch mechanism is located in another directory libandroid_servers.so. This library runs Android services.
Using the command-and-control(C2) server, Necro.d can download, install/uninstall and run applications. Adding to it, the developers leave a backdoor in the device which lets them pass shell commands. And it downloads Kingroot superuser rights utility, which enhances its ability to steal “very important” information of the victim without inference.
There are several other malware apps which employ similar techniques to compromise Android devices: Penguin, Facmod, Guerrilla, Virtualinst and Secretad.
The low-cost unsafe devices having pre-installed adware, usually have “App Store” application as an adware which can deploy ads through invisible windows over other apps, draining data and battery. Researchers at Kaspersky also noticed that it downloads third-party JavaScript to execute other malicious codes on the host device.
Precautions for Android Users
- Carefully look into the model and company of the mobile device before buying. After all, it is always a good choice to go for a safer device than for a cheaper one.
- If your device has the adware preinstalled there’s nothing much they can do. As antivirus often render the device inoperable as it tries to remove the malware.
- Reflashing the device with new firmware is a way out from these viruses, but it nullifies the warranty of the device and may cause permanent damage.
It is always advisable to buy Android smartphones and devices of genuine and reputable companies. They may seem a bit expensive but they ensure reliability and provide proper security for their firmware.
