A dangerous new Android trojan dubbed Golem (a variant of the Ghost Push virus), has been discovered to be spreading rapidly around the world.
Uncovered by Cheetah Mobile Security Research Lab, Golem can control devices remotely and automatically launch and run applications without a user’s consent. Every time Golem is activated, it will download updated command code from the cloud server to launch apps and simulate users tapping, sliding and scrolling through app pages.
There are a couple of issues with this. For one, this is a malicious behavior that consumes a lot of network data, battery power and local device resources, slowing down phones as a result and possibly costing users in overage charges. Golem’s automated user gestures for swiping and scrolling can also be used in ad fraud schemes. For instance, if the attackers can get $1 by installing a promoted app on one device, they may be able to get $2 or more if the app has actually been opened and used.
The trojan’s spread is still in an early stage, infecting more than 40,000 infected Android users so far.
Cheetah Mobile explained how it works in an analysis:
In what is common knowledge for Android developers, all Android devices have been pre-loaded with a system command tool known as Input. The Input command tool is designed to help developers conduct automated testing, and is mainly used to send commands for simulating operations across devices. Generally, legitimate applications have no privilege to execute this tool, but malware with root privileges are able to utilize it.
The Golem trojan family gains root privilege and leaves a backdoor for Golem to leverage the tool. Golem can pull command codes like ‘tap,’ ‘swipe,’ and ‘press’ from a cloud server, and execute these codes with the Input command tool to operate apps automatically.
Golem is a new member of the Ghost Push root trojan family and is playing an important role in the black market profit chain.
“In the previous reports regarding Ghost Push and the underground app distribution chain behind it, we constantly mentioned that this trojan family is capable of installing unwanted and annoying apps on infected devices,” Cheetah explained “However, now that the malicious behavior has moved beyond just installing useless applications on your devices, it is acting on behalf of users.”
So far, almost all countries have been affected by this Trojan, and the most severely affected areas are India and Southeast Asia. The top three worst-hit countries are India, Indonesia and the Philippines.
Photo © limbi007