Malicious Android app installs ‘impossible to remove’ adware

The IT Security researchers have discovered a new malware that is essentially an Android Package or APK masked as a cleaner app called Ks cleaner and tricks the users into downloading a security update. Once the update is installed, the malware cannot be removed.

Ks Clean app and permission it asks for (Image Credit: Zscaler)

The APK downloads automatically mainly from online forums

According to Zscaler, a web security company the APK downloads itself from ads that have malware contained within them. Ads on online forums, in particular, have been found to host the malware.

Once the app is downloaded, the user is presented with a message saying that the phone has a security loophole which puts the user’s account and personal information at risk. In the end, the only option that is present is the “Ok” button.

Given that the user has no other choice and he/she believes it to be a legit security update from Google, the user taps the “Ok” button upon which another APK is downloaded which is dubbed as “Update.”

(Image Credit: Zscaler)

“Update cannot be removed.”

Once the APK “Update” is downloaded in one’s system, one cannot remove it due to the APK registering itself as an Android Receiver.

An android receiver is essentially a component of the Android software which gets activated whenever a registered event or action gets performed.

In this case, the APK, by registering itself as an android receiver gains administrative rights which imply that whenever a user tries to delete it manually, the registered event entitled ‘DEVICE_ADMIN_DISABLED’ triggers the malware with the phone simply getting stuck and the malware not being removed.

And if you try to close the app by force, it will keep running in the background due to a .dex file that lets it run even if it is closed. According to the blog post by Shivang Desai of Zscaler: 

“Once the app gains admin rights, it becomes impossible to remove it from the device. The traditional ‘Uninstall’ option, by default, becomes disabled, because a user cannot remove apps with admin rights. Usually, one can uninstall such apps by first removing admin privileges via settings, but this app uses an unconventional method — registering as an Android receiver — to preserve its admin privileges.”

What does the APK do?

Once the APK is in your system, you will keep seeing unnecessary display ads on your home screen. However, there is much more that the APK “Update” can do. For instance, it can manipulate your bookmarks, toggle with your settings and even download other apps without you even knowing about it.

What can you do protect yourself?

First and foremost, refrain from clicking on suspicious links and disable automatic download. This will ensure that no unknown apps or malware gets downloaded in the background. Furthermore, it is advised to stay away from unknown online forums as it is on these forums that most malware instances have been found.

Desai has also shared a demonstration video showing how the malware works

Related Posts