Device rooting Android malware found in Google Play

A new malware for Google's Android mobile operating system tries several different exploits for vulnerabilities to elevate its privileges to super user for full system access or control, security vendor Trend Micro has found.

Known as Godless, the malware is found in the Google Play and other app stores, and affects Android version 5.1 and earlier. This puts nine out of ten Android devices at risk from Godless.

Trend Micro estimated Godless has infected over 850,000 devices worldwide.

Godless uses the open source android-rooting-tools framework, which contains exploits for well-known vulnerabilities such as PingPongRoot and Towelroot.

Once a device has been rooted by Godless, the malware installs a backdoor for remote access. This can be used to silently download unwanted apps and advertisements, as well as to spy on users.

Trend Micro discovered that a new variant of Godless would only fetch exploits for vulnerabilities, and the payload, after the malicious app had been installed. This, the security vendor believes, is to evade security checks in Google Play and other app stores.

The company did not specify how many apps on Google Play contain Godless. One app in Google Play named by Trend Micro is the Summer Flashlight; other utility and wi-fi apps were also found to contain the malicious code.

Worse, Trend Micro found "a large amount of clean apps on Google Play that have corresponding malicious versions in the wild." The subverted apps share the same developer certificate as the clean variants in Google Play. 

There is a risk that the clean apps will be upgraded to malicious versions by users, who are unaware that they're installing malware on their devices.

Trend Micro advised users to always download apps from trusted stores such as Google Play and Amazon, and to review the developer's history. Developers with little or no history could be spreading malware such as Godless, the security vendor warned.