Annoying Android app demands admin rights to display ads

Think you can disable its superuser privileges? Think again!

David Bisson
@DMBisson

An annoying Android app asks a user to grant it administrator rights in order to display ads that lead to potential drive-by downloads.

The offending app apparently downloads automatically from Godlike Productions, a self-proclaimed “conspiracy forum” which traffics in UFOs, secret societies, and “lunatic fringe”. Not the most trustworthy stuff on the web, to be sure.

It’s therefore not surprising the forum at one time pushed out an unwanted Android Package (APK) known as “kskas.apk” via some of its ads, deceit about which several Godlike Productions members complained on the message boards.

Sign up to our newsletter
Security news, advice, and tips.
Forum discussion about the app (Source: Zscaler)

The APK masquerades as an Android cleaner app called “Ks Clean.” No doubt the app’s developers hope this disguise will convince users to authorize the fake system update it displays upon installation. Why? Approving the fake update causes the app to launch another APK known as “Update,” which requests administrative rights.

Shivang Desai, a security researcher at Zscaler, explains why granting these superuser privileges is the last thing an Android user should do:

“Once the app gains admin rights, it becomes impossible to remove it from the device. The traditional ‘Uninstall’ option, by default, becomes disabled, because a user cannot remove apps with admin rights. Usually, one can uninstall such apps by first removing admin privileges via settings, but this app uses an unconventional method — registering as an Android receiver — to preserve its admin privileges.”

This receiver allows the app to lock a screen if and when the user tries to disable its admin privileges. You can see for yourself in the demonstration video below.

Think force-closing will help? Not so fast. As revealed in its communication with its C&C server, the app comes with a dynamically loaded .dex file that runs a daemon process, thereby allowing the app to execute even in the event a user forecloses it.

Once it runs, the Update APK can download apps without notification, write settings, and overlay the system window with annoying ads even if the user isn’t using the app.

Ads are shown outside of the app. (Source: Zscaler)

To protect against this APK and other annoying

Android ad-displaying apps, users should avoid suspicious links and disable auto-download in their mobile web browser. <p data-amp-original-style="font-size:110%;" class="amp-wp-d1f0990"><em>Found this article interesting? <a href="https://twitter.com/intent/follow?screen_name=gcluley" rel="nofollow noopener noreferrer" title="Link to @gcluley on Twitter">Follow Graham Cluley on Twitter</a> to read more of the exclusive content we post.</em></p> <hr> <div class="after-post-tags"> <ul class="post-categories"> <li><a href="https://grahamcluley.com/category/mobile/android/" rel="category tag">Android</a></li> <li><a href="https://grahamcluley.com/category/security-threats/malware/" rel="category tag">Malware</a></li></ul> <ul class="post-categories aretags"> <li><a href="https://grahamcluley.com/tag/android/">#Android</a></li> <li><a href="https://grahamcluley.com/tag/malware/">#Malware</a></li> </ul> </div> <div class="author-info"> <div class="author-avatar"> <a href="https://grahamcluley.com/author/davidbisson/" title="Link to other articles by David Bisson"><div class="bottom-author-avatar"><amp-img src="https://grahamcluley.com/wp-content/uploads/2015/06/dbisson-75x75.jpeg" width="64" height="64" alt="David Bisson" class="avatar avatar-64 wp-user-avatar wp-user-avatar-64 alignnone photo amp-wp-enforced-sizes i-amphtml-layout-intrinsic i-amphtml-layout-size-defined" layout="intrinsic" i-amphtml-layout="intrinsic"><i-amphtml-sizer class="i-amphtml-sizer"><img alt="" aria-hidden="true" class="i-amphtml-intrinsic-sizer" role="presentation" src="data:image/svg+xml;base64,PHN2ZyBoZWlnaHQ9JzY0JyB3aWR0aD0nNjQnIHhtbG5zPSdodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZycgdmVyc2lvbj0nMS4xJy8+"></i-amphtml-sizer><noscript><img src="https://grahamcluley.com/wp-content/uploads/2015/06/dbisson-75x75.jpeg" width="64" height="64" alt="David Bisson" class="avatar avatar-64 wp-user-avatar wp-user-avatar-64 alignnone photo"></noscript></amp-img></div></a><a href="https://grahamcluley.com/author/davidbisson/" title="Link to other articles by David Bisson"><strong>David Bisson</strong></a> •  <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewbox="0 0 24 24" fill="gray"><path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z"></path></svg> <a class="link-dark" href="https://twitter.com/intent/follow?screen_name=DMBisson" title="Follow @DMBisson on Twitter">@DMBisson</a> </div><!-- .author-avatar --> <p class="author-bio"> David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog. </p><!-- .author-bio --> </div><!-- .author-info -->

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.