LevelDropper: A takedown of autorooting malware in Google PlayDownload Case Study
LevelDropper, an app in the Google Play Store that we determined to be malicious, is the latest example of a new and persisting trend in mobile threats: autorooting malware.
Lookout discovered the app last week and worked with Google to have it removed. All Lookout customers are protected from this threat.
At first glance, LevelDropper seemed to be a simple app to use instead of a physical level from your toolbox, but upon deeper analysis, it turned out to conceal its malicious behavior. The term “autorooting malware” represents a classification of mobile malware that silently roots a device in order to perform actions only possible with more privileges. In this case, LevelDropper stealthily roots the device and goes on to install further applications — many of them — to the victim’s device.
A closer look at LevelDropper
Immediately after running LevelDropper, we noticed that the LocationServices window popped up blank. This is a significant red flag. It often indicates a potential crash that can be taken advantage of to gain an escalation in privilege.
Shortly after, new applications not previously installed on the phone slowly began to appear. The app never prompted the user to install the additional apps, which generally indicates that the application must have root access. It is not possible for an application to download and install additional apps without user interaction unless the app has root access to the package manager.
The following screenshots show the installation and running screens. While we only show two additional apps being installed here, the amount increases the longer it runs. After about 30 minutes, we found 14 applications downloaded, without any user interaction.
After closing out the app, a second icon appeared on the launcher (the new icon circled in red):
We had already determined that the malicious app must have root access in order to install apps silently, but when we looked through the /system directory, we didn’t see the typical indicators that a device is rooted. Usually we would see a superuser binary and often a rewritten “install-system-recovery” script, which is used to ensure that root access survives upgrades.
We found neither. The only evidence we could uncover was the fact that the system partition was writable (usually it is mounted in read-only mode to prevent modifications); all other evidence appears to have been removed.
When we investigated the binary files contained in the package, we found two privilege escalation exploits and some supporting package files such as SuperSU, busybox, and supolicy. Both of the exploits appeared to use publicly available proof of concept code to gain root access.
The malicious app also included additional APKs that make use of root privileges to display obtrusive ads in a way that is difficult to get around.
Malware rooting devices, a trend
In the recent past, we’ve seen a number of families that also automatically root a victim’s device, though these may be more sophisticated and persistent.
In November, we released information about ShiftyBug, Shuanet, and Shedun, which automatically root the device and also install further applications. Brain Test, which has similar functionality, made a comeback in January.
For now, it seems like these apps are being used to drive ad revenues. In cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue. The variant of Brain Test we wrote about at the beginning of the year was actually able to use compromised devices to download and write positive reviews of other malicious apps in the Play store by the same authors.
If you are infected by LevelDropper, you can perform a factory reset on the device to get rid of the malware. Install a security app that can alert you before you install a malicious application in the future.