ZScaler has found a new Android malware, bearing an APK file name of KSKAS.apk, that attempts to automatically download itself to users’ devices, then seeks administrator permissions to display ads, among other malicious functions. It all begins with a “drive-by download,” where a site pushes a download to a device without the device asking for it. While most browsers either save a downloaded file for a user to decide what to do with later or ask the user how to proceed, drive-by downloads of this nature normally begin the APK installation process automatically. The app will present itself as “KS Clean.” Denying the installation is enough to stay safe, for the most part, but users that are fooled into installing the app will be greeted by a pop-up on their home screen prompting them to take an update for security reasons. Clicking OK will lead to the installation of a second app, which contains the malicious payload.
Once the second app is installed, it will immediately prompt the user for administrator privileges. If those privileges are granted, the app has all the permissions that it needs to compromise a user’s device. On the surface, it just shows the user advertisements in various places. The push for administrator privileges is a jarring hint toward what it may actually be doing in the background, as well as a laundry list of suspicious permissions like drawing on top of other apps. ZScaler’s researchers dove into the APK file and watched the app in action in an emulator. Behind the scenes, it phones home to a control server, and pulls a wide range of information on a user’s device. Attempting to disable administrator privileges will simply freeze up the device temporarily.
As with most Android malware, one of the biggest points to stress as far as staying safe is to not install anything from outside of the Play Store. If you do install something from outside of the Play Store, make sure you know what it is and that it’s coming from a trusted source. This is not foolproof, but is a good precaution to take. If you don’t plan to install anything from outside of the Play Store in the near future, the safest bet is to keep Unknown Sources, the option that allows installs from outside the Play Store, turned off. This prevents drive-by installs. If you do happen to end up victimized by this malware or a similar one, unless you happen to have root privileges and know how to remove the malware at the system level despite the administrator status, your only real recourse is a factory reset. Malware is a fairly common phenomena on Android; ZScaler’s campaign alone has caught around 300 cases of its software preventing a malware infection in the US and UK alone.
