Annoying Android app demands admin rights to display ads

Think you can disable its superuser privileges? Think again!

Annoying Android app demands admin rights to display ads

An annoying Android app asks a user to grant it administrator rights in order to display ads that lead to potential drive-by downloads.

The offending app apparently downloads automatically from Godlike Productions, a self-proclaimed "conspiracy forum" which traffics in UFOs, secret societies, and "lunatic fringe". Not the most trustworthy stuff on the web, to be sure.

It's therefore not surprising the forum at one time pushed out an unwanted Android Package (APK) known as "kskas.apk" via some of its ads, deceit about which several Godlike Productions members complained on the message boards.

Forum discussion about the app

Forum discussion about the app (Source: Zscaler)

The APK masquerades as an Android cleaner app called "Ks Clean." No doubt the app's developers hope this disguise will convince users to authorize the fake system update it displays upon installation. Why? Approving the fake update causes the app to launch another APK known as "Update," which requests administrative rights.

Shivang Desai, a security researcher at Zscaler, explains why granting these superuser privileges is the last thing an Android user should do:

"Once the app gains admin rights, it becomes impossible to remove it from the device. The traditional 'Uninstall' option, by default, becomes disabled, because a user cannot remove apps with admin rights. Usually, one can uninstall such apps by first removing admin privileges via settings, but this app uses an unconventional method — registering as an Android receiver — to preserve its admin privileges."

This receiver allows the app to lock a screen if and when the user tries to disable its admin privileges. You can see for yourself in the demonstration video below.

Think force-closing will help? Not so fast. As revealed in its communication with its C&C server, the app comes with a dynamically loaded .dex file that runs a daemon process, thereby allowing the app to execute even in the event a user forecloses it.

Once it runs, the Update APK can download apps without notification, write settings, and overlay the system window with annoying ads even if the user isn't using the app.

Ads are shown outside of the app. (Source: Zscaler)

Ads are shown outside of the app. (Source: Zscaler)

To protect against this APK and other annoying Android ad-displaying apps, users should avoid suspicious links and disable auto-download in their mobile web browser.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

No comments yet.

Leave a Reply