Another Android Security-Related Discovery: First Kotlin-Based Malware in Google Play Store

First Kotlin-Based Malware

Cyber security researchers have reportedly discovered what they think is the first Krotin-based malware affecting the Android OS.

The discovery has been made by researchers at Trend Micro; a Trend Micro blog post on the same says- “We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications.”

Kotlin, which was announced as an official Android development language at Google in 2017, is actually the third language fully supported for the Android platform, the other two being Java and C++.

The Trend Micro blog post further says- “The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.”

So, as the Trend Micro blog says, this Kotlin-based malware, which seems to have been downloaded from Google Play Store by 1000 to 5000 users, poses as a utility tool that helps clean and optimize Android devices. The post explains how it works- “Upon launching Swift Cleaner, the malware sends the victim’s device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server…After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud.”

The blog post further says- “In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server…The malware can also upload the information of the user’s service provider, along with the login information and CAPTCHA images, to the C&C server. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money.”

Experts point out that this malware, by its nature, would remain unnoticed; the victims would most likely be in for a surprise, or rather a mild shock, when they get their next phone bill.

Trend Micro has reportedly told Google about the issue; it’s heard that Google Play Protect reportedly has protections in place to protect users from this new malware.

Kevin Jones168 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others. He holds prestigious certifications like OSWP, OSCP, ITIL. His goals in life are simple - to finish her maiden business venture on Cybersecurity, and then to keep writing books for as long as possibly can and never miss a flight that makes the news.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register