App not on the level, and not in the spirit
Google scans billions of “potentially harmful apps” on the Play store, but a malware app has slipped through, and is automatically rooting phones it infects.
The since-scuppered malware masqueraded as a spirit level application dubbed Level Dropper.
When installed it would root Android devices and install additional applications to generate advertising revenue.
Lookout chief strategy officer Colin Streicher found in tests that Level Dropper installed 14 applications 30 minutes after the app is first run.
“In this case, LevelDropper stealthily roots the device and goes on to install further applications — many of them — to the victim’s device,” Streicher says.
“Immediately after running LevelDropper, we noticed that the LocationServices window popped up blank [which] often indicates a potential crash that can be taken advantage of to gain an escalation in privilege.
Streicher says the rooting process is more stealthy than other malware apps, reducing the flags typical of root malware.
With root access the application can gain access to the Android package manager which removes the need for user’s to approve the installation of additional applications.
It is unknown what versions of Android the malware can compromise, however it appeared to have been tested on version 4.4 KitKat.
Android versions 5 Lollipop and 6 Marshmallow throw more granular user permission checks, even on rooted phones, making compromise much more difficult.
Malware on these modern platforms tend to use screen overlays and accessibility functions to compromise users. ®