An annoying Android app asks a user to grant it administrator rights in order to display ads that lead to potential drive-by downloads.
The offending app apparently downloads automatically from Godlike Productions, a self-proclaimed “conspiracy forum” which traffics in UFOs, secret societies, and “lunatic fringe”. Not the most trustworthy stuff on the web, to be sure.
It’s therefore not surprising the forum at one time pushed out an unwanted Android Package (APK) known as “kskas.apk” via some of its ads, deceit about which several Godlike Productions members complained on the message boards.
The APK masquerades as an Android cleaner app called “Ks Clean.” No doubt the app’s developers hope this disguise will convince users to authorize the fake system update it displays upon installation. Why? Approving the fake update causes the app to launch another APK known as “Update,” which requests administrative rights.
Shivang Desai, a security researcher at Zscaler, explains why granting these superuser privileges is the last thing an Android user should do:
“Once the app gains admin rights, it becomes impossible to remove it from the device. The traditional ‘Uninstall’ option, by default, becomes disabled, because a user cannot remove apps with admin rights. Usually, one can uninstall such apps by first removing admin privileges via settings, but this app uses an unconventional method — registering as an Android receiver — to preserve its admin privileges.”
This receiver allows the app to lock a screen if and when the user tries to disable its admin privileges. You can see for yourself in the demonstration video below.
Think force-closing will help? Not so fast. As revealed in its communication with its C&C server, the app comes with a dynamically loaded .dex file that runs a daemon process, thereby allowing the app to execute even in the event a user forecloses it.
Once it runs, the Update APK can download apps without notification, write settings, and overlay the system window with annoying ads even if the user isn’t using the app.
To protect against this APK and other annoying
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.