Android apps are gaining ground. AdWeek noted that of the 17.2 billion mobile apps downloaded in Q1 2016, more than 11 billion were for Google’s operating system (OS). While games remain the top category across both Android and iOS, there’s a growing focus on security.

Users are concerned about the threat posed by third-party apps, malicious emails and mobile ransomware. So it’s no surprise that a new threat known as Ks Clean — malware masquerading as an Android cleaning app — is using dirty tricks to grab device administrative rights.

Saying OK to OS Access

Bleeping Computer explained the new malware, which was first spotted by researchers from security firm Zscaler, hides in compromised ads on the GodLikeProductions website forum. Ads displayed on the forum would automatically download a malicious Android application package (APK) to user devices without any notification.

Clicking on the new app brings up some typical install information and then generates a pop-up that looks like a security update warning. It’s not, but users are only given one choice to close the window: OK.

This allows Ks Clean to download a second file simply called “update,” which asks for admin rights and allows the app to display advertisements at will. Although multiple complaint threads emerged on GodLikeProductions, most were either ignored or deleted, allowing the malware to spread.

Fighting for Android Malware Removal

So far, the scope of this Android malware remains fairly limited, with just over 300 instances detected across the U.K. and U.S., The Register noted. The problem? It’s incredibly persistent.

Here’s why: If users are experiencing large numbers of random pop-up ads, tracking the problem to Ks Clean’s security update isn’t a difficult task, but revoking admin rights is a nightmare. While it’s usually no problem to remove apps from the admin group, this new malware variant leverages a programming trick to freeze user devices every time deletion is attempted, making it impossible to remove without flashing the device.

The Good News

Thankfully, there is a silver lining. This kind of forced-approval infection only works on devices that have auto download enabled in their mobile browsers and have turned on the “Unknown Sources” option in Android security settings, which allows the installation of apps from outside the Play Store ecosystem. Typically, this option is off by default, limiting the risk for most mobile users.

But with rooting and jailbreaking phones becoming more common in a mobile-savvy tech market, there’s a bigger threat here than just terrible ads displayed at random. Imagine the havoc if supposed security updates downloaded sophisticated ransomware that gained admin privileges and was impossible to remove. The small-scale debut of Ks Clean suggested that current infections are effectively test runs rather than full rollouts.

Malicious actors are well aware of the social cachet carried by official security updates. Combined with the dirty trick of no-refuse update warnings, there’s real potential here for admin-enhanced mobile malware that does more than just serve up annoying advertisements.

more from

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…