Godless, the Android Malware that employs multiple rooting exploits

Godless is a new strain of Android Malware recently spotted by experts from Trend Micro that leverages multiple rooting exploits.

Godless is a new strain of malware that uses multiple rooting exploit to compromise Android mobile devices.

The mobile malware is a sort of hacking platform that includes an open-source rooting framework called android-rooting-tools.

The availability of multiple exploits in the framework makes this threat very dangerous, among the known flaws exploited by the Godless there are the CVE-2015-3636 and CVE-2014-3153.

The threat that can compromise devices running Android 5.1 (Lollipop) or earlier was spotted by experts from Trend Micro.  Godless has already infected over 850,000 devices worldwide, bad actors delivered it through malicious applications deployed in legitimate app stores, including Google Play.

“We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets.” states the post published by Trend Micro. “By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. “

Once the malware has rooted the device it can make several operations through the installation of malicious apps, the experts highlighted that threat has evolved over the time and last variants are able to root the device remotely by downloading malicious payload from the C&C server.

Researchers also observed that first samples of the malware were implementing a standalone Google Play client to steal users’ login credentials, meanwhile, the latest variant installs a backdoor with root access that allows attackers to completely control the device.

“We have seen the evolution of this family. In earlier Godless versions, malicious apps contain a local exploit binary called libgodlikelib.so , which uses exploit code from android-rooting-tools.” states Trend Micro.

“Recently, we came across a new Godless variant that is made to only fetch the exploit and the payload from a remote command and control (C&C) server, hxxp://market[.]moboplay[.]com/softs[.]ashx. We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play.”

The experts observed that several legitimate apps on Google Play have corresponding malicious versions in the wild and even share the same developer certificate.

“The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior,” Trend Micro says.

Experts from Trend Micro suggest to carefully review the developer of the app that we are going to download. Don’t trust unknown developers with a low reputation and no background information. Of course always download the apps from trusted stores such as Google Play

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Godless , Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]