A new form of mobile malware designed with multiple malicious intentions has appeared, in the form of a spoofed app that is a copy of legitimate app BatteryBot Pro.
The fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro, but also performs malicious activity in the background. Most notably, though the app seems to be working normally, at the back-end it tried to load various ad libraries, ultimately delivering a click-fraud campaign. According to Zscaler, other functions include ad fraud, premium SMS fraud, and the installation of additional malicious APKs.
On the SMS front, the app is stealthy. The main activity screen is identical to original app, but when the user clicks on "View Battery Use," the malware sends requests to its command and control server to retrieve short codes for premium-rate SMS numbers. Messages are then sent—charges for which will show up on the user’s bill.
The app was removed from the Play Store as soon as Google became aware of its malicious intent, but for those who already downloaded it, they may be out of luck. Upon installation of the malicious app, it demanded administrative access, which allows the malware developer to obtain full control access of the victim's device. And its being run with administrator privileges means the user cannot delete the app after installation.
“While in some of the scenarios we were able to manually delete the app, the malware authors have taken care to ensure persistence,” said Shivang Desai, the Zscaler researcher that discovered the app. “The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted.”
Spoofed Android apps are all too common. One way users can protect themselves is looking for and being wary of excessive permissions. While the legit BatteryBot Pro app demanded minimal permissions, the fake app demanded full admin access to obtain total control of the victim's device.
“Malware authors tend to follow one of the following two methods for malware development: Create a malware app from scratch, or compromise a legit app by embedding malicious modules into it,” Desai said. “With Android being open source and an Android app being easily reversible, most of the malware developers tend to stick with the second option.”