By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier.
The Google Play Store is full of malicious apps that has the ability to gain users’ attention into falling victim for one, but this time, researchers at Trend Micro have detected a family of malicious apps, dubbed ‘Godless,’ that has the capability of secretly rooting almost 90 percent of all Android phones.
Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools.
The said framework has various exploits in its arsenal that can be used to root various Android-based devices.
The two most prominent vulnerabilities targeted by this kit are CVE-2015–3636 (used by the PingPongRoot exploit) and CVE-2014–3153 (used by the Towelroot exploit).
The remaining exploits are deprecated and relatively unknown even in the security community.
In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices.
This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads.
Even worse, these threats can also be used to install backdoors and spy on users.
Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it obtains an apps list to be installed on the compromised device and installs them without the users knowledge, and all of this can be done remotely.
Which are the malicious apps?
Again from TrendLabs Security Intelligence Blog:
We found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games.
For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code.
We have also seen a large amount of clean apps on Google Play that has corresponding malicious versions — they share the same developer certificate — in the wild.
The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior.
Note that updating apps outside of Google Play is a violation of the store’s