| Researchers June 27, 2016


June 27, 2016

LevelDropper: A takedown of autorooting malware in Google Play

By Colin Streicher

3505700025_887f7581a5_z
LevelDropper, an app in the Google Play Store that we determined to be malicious, is the latest example of a new and persisting trend in mobile threats: autorooting malware.
Lookout discovered the app last week and worked with Google to have it removed. All Lookout customers are protected from this threat.
At first glance, LevelDropper seemed to be a simple app to use instead of a physical level from your toolbox, but upon deeper analysis, it turned out to conceal its malicious behavior. The term “autorooting malware” represents a classification of mobile malware that silently roots a device in order to perform actions only possible with more privileges. In this case, LevelDropper stealthily roots the device and goes on to install further applications — many of them — to the victim’s device.
A closer look at LevelDropper
Immediately after running LevelDropper, we noticed that the LocationServices window popped up blank. This is a significant red flag. It often indicates a potential crash that can be taken advantage of to gain an escalation in privilege.
Shortly after, new applications not previously installed on the phone slowly began to appear. The app never prompted the user to install the additional apps, which generally indicates that the application must have root access. It is not possible for an application to download and install additional apps without user interaction unless the app has root access to the package manager.
The following screenshots show the installation and running screens. While we only show two additional apps being installed here, the amount increases the longer it runs. After about 30 minutes, we found 14 applications downloaded, without any user interaction.
Screen Shot 2016-06-27 at 9.39.14 AM
Screen Shot 2016-06-23 at 4.25.08 PM
After closing out the app, a second icon appeared on the launcher (the new icon circled in red): Screen Shot 2016-06-27 at 9.42.09 AM
Silent root
We had already determined that the malicious app must have root access in order to install apps silently, but when we looked through the /system directory, we didn’t see the typical indicators that a device is rooted. Usually we would see a superuser binary and often a rewritten “install-system-recovery” script, which is used to ensure that root access survives upgrades.
We found neither. The only evidence we could uncover was the fact that the system partition was writable (usually it is mounted in read-only mode to prevent modifications); all other evidence appears to have been removed.
Other findings
When we investigated the binary files contained in the package, we found two privilege escalation exploits and some supporting package files such as SuperSU, busybox, and supolicy. Both of the exploits appeared to use publicly available proof of concept code to gain root access.
The malicious app also included additional APKs that make use of root privileges to display obtrusive ads in a way that is difficult to get around.
Malware rooting devices, a trend
In the recent past, we’ve seen a number of families that also automatically root a victim’s device, though these may be more sophisticated and persistent.
In November, we released information about ShiftyBug, Shuanet, and Shedun, which automatically root the device and also install further applications. Brain Test, which has similar functionality, made a comeback in January.
For now, it seems like these apps are being used to drive ad revenues. In cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue. The variant of Brain Test we wrote about at the beginning of the year was actually able to use compromised devices to download and write positive reviews of other malicious apps in the Play store by the same authors.
Removal
If you are infected by LevelDropper, you can perform a factory reset on the device to get rid of the malware. Install a security app that can alert you before you install a malicious application in the future.
Appendix

SHA1: 3646c8361252876012402878b84763403928b588

Image via aaronHwarren/Flickr

Author

Colin Streicher

Leave a comment

Submit


5 comments


Andre says:

July 20, 2016 at 3:55 am

I tried to install it on Samsung GS5 on 5.0.2 - seems ok, nothing happen, i check with root checker the phone is still fine and no app silently installed


Andre says:

June 29, 2016 at 3:11 am

Hi, do you mind to share with me where I can get/find the infected app please?


Meghan Kelly says:

August 15, 2016 at 10:01 am

Hi Andre, you can use the hash in the blog to look up the app on VirusTotal. Here's the hash again: SHA1: 3646c8361252876012402878b84763403928b588 Hope this helps.


Cyber lumber jack says:

June 28, 2016 at 8:02 am

What Cves are used for the rooting tools?


Meghan Kelly says:

July 07, 2016 at 3:13 pm

Hi there, we found one of the exploits leveraged CVE-2015-3636.


charlie says:

June 28, 2016 at 6:07 am

Do you have sha1 or package name of the malware from google play


Meghan Kelly says:

June 28, 2016 at 10:10 am

Hi Charlie, thanks for reaching out. We've added an appendix with the SHA1.


Trash panda says:

June 27, 2016 at 9:56 pm

Can you guys share the hashes ?


Meghan Kelly says:

June 28, 2016 at 1:41 pm

Hey there, we added the SHA1 in the appendix.