Breaking News

Godless, the Android Malware that employs multiple rooting exploits

Godless is a new strain of Android Malware recently spotted by experts from Trend Micro that leverages multiple rooting exploits.

Godless is a new strain of malware that uses multiple rooting exploit to compromise Android mobile devices.

The mobile malware is a sort of hacking platform that includes an open-source rooting framework called android-rooting-tools.

The availability of multiple exploits in the framework makes this threat very dangerous, among the known flaws exploited by the Godless there are the CVE-2015-3636 and CVE-2014-3153.

The threat that can compromise devices running Android 5.1 (Lollipop) or earlier was spotted by experts from Trend Micro.  Godless has already infected over 850,000 devices worldwide, bad actors delivered it through malicious applications deployed in legitimate app stores, including Google Play.

“We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets.” states the post published by Trend Micro. “By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. “

Once the malware has rooted the device it can make several operations through the installation of malicious apps, the experts highlighted that threat has evolved over the time and last variants are able to root the device remotely by downloading malicious payload from the C&C server.

Researchers also observed that first samples of the malware were implementing a standalone Google Play client to steal users’ login credentials, meanwhile, the latest variant installs a backdoor with root access that allows attackers to completely control the device.

“We have seen the evolution of this family. In earlier Godless versions, malicious apps contain a local exploit binary called libgodlikelib.so , which uses exploit code from android-rooting-tools.” states Trend Micro.

“Recently, we came across a new Godless variant that is made to only fetch the exploit and the payload from a remote command and control (C&C) server, hxxp://market[.]moboplay[.]com/softs[.]ashx. We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play.”

The experts observed that several legitimate apps on Google Play have corresponding malicious versions in the wild and even share the same developer certificate.

“The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior,” Trend Micro says.

Experts from Trend Micro suggest to carefully review the developer of the app that we are going to download. Don’t trust unknown developers with a low reputation and no background information. Of course always download the apps from trusted stores such as Google Play

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Godless , Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

10 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

14 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

19 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

22 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.