Security Discovery: 1st Kotlin-Based Malware In Google Play Store
Cyber security researchers have reportedly discovered what they think is the first Krotin-based malware affecting the Android OS.
The discovery has been made by researchers at Trend Micro; a Trend Micro blog post on the same says- “We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications.”
Kotlin, which was announced as an official Android development language at Google in 2017, is actually the third language fully supported for the Android platform, the other two being Java and C++.
The Trend Micro blog post further says- “The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.”
So, as the Trend Micro blog says, this Kotlin-based malware, which seems to have been downloaded from Google Play Store by 1000 to 5000 users, poses as a utility tool that helps clean and optimize Android devices. The post explains how it works- “Upon launching Swift Cleaner, the malware sends the victim’s device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server…After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud.”
The blog post further says- “In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server…The malware can also upload the information of the user’s service provider, along with the login information and CAPTCHA images, to the C&C server. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money.”
Experts point out that this malware, by its nature, would remain unnoticed; the victims would most likely be in for a surprise, or rather a mild shock, when they get their next phone bill.
Trend Micro has reportedly told Google about the issue; it’s heard that Google Play Protect reportedly has protections in place to protect users from this new malware.