Android apps are gaining ground. AdWeek noted that of the 17.2 billion mobile apps downloaded in Q1 2016, more than 11 billion were for Google’s operating system (OS). While games remain the top category across both Android and iOS, there’s a growing focus on security.

Users are concerned about the threat posed by third-party apps, malicious emails and mobile ransomware. So it’s no surprise that a new threat known as Ks Clean — malware masquerading as an Android cleaning app — is using dirty tricks to grab device administrative rights.

Saying OK to OS Access

Bleeping Computer explained the new malware, which was first spotted by researchers from security firm Zscaler, hides in compromised ads on the GodLikeProductions website forum. Ads displayed on the forum would automatically download a malicious Android application package (APK) to user devices without any notification.

Clicking on the new app brings up some typical install information and then generates a pop-up that looks like a security update warning. It’s not, but users are only given one choice to close the window: OK.

This allows Ks Clean to download a second file simply called “update,” which asks for admin rights and allows the app to display advertisements at will. Although multiple complaint threads emerged on GodLikeProductions, most were either ignored or deleted, allowing the malware to spread.

Fighting for Android Malware Removal

So far, the scope of this Android malware remains fairly limited, with just over 300 instances detected across the U.K. and U.S., The Register noted. The problem? It’s incredibly persistent.

Here’s why: If users are experiencing large numbers of random pop-up ads, tracking the problem to Ks Clean’s security update isn’t a difficult task, but revoking admin rights is a nightmare. While it’s usually no problem to remove apps from the admin group, this new malware variant leverages a programming trick to freeze user devices every time deletion is attempted, making it impossible to remove without flashing the device.

The Good News

Thankfully, there is a silver lining. This kind of forced-approval infection only works on devices that have auto download enabled in their mobile browsers and have turned on the “Unknown Sources” option in Android security settings, which allows the installation of apps from outside the Play Store ecosystem. Typically, this option is off by default, limiting the risk for most mobile users.

But with rooting and jailbreaking phones becoming more common in a mobile-savvy tech market, there’s a bigger threat here than just terrible ads displayed at random. Imagine the havoc if supposed security updates downloaded sophisticated ransomware that gained admin privileges and was impossible to remove. The small-scale debut of Ks Clean suggested that current infections are effectively test runs rather than full rollouts.

Malicious actors are well aware of the social cachet carried by official security updates. Combined with the dirty trick of no-refuse update warnings, there’s real potential here for admin-enhanced mobile malware that does more than just serve up annoying advertisements.

More from

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

How I got started: SIEM engineer

3 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…