Zscaler Finds 'Drive By' Android Malware Installed Via Malicious Ads

Zscaler has discovered new "drive by" malware that's automatically installed on Android smartphones when they visit sites with harmful ads.

The malicious app is disguised as a utility called Ks Cleaner that purports to help you keep your smartphone in tip-top shape. Its true purpose, however, is displaying a fake system update message that claims your phone has a "security loophole" which "leads to the risk of account and personal information be [sic] stolen." You're then presented with just one option--"OK"--and selecting it gives an APK called "Update" admin privileges on your phone. Once this happens, Zscaler said, the malware's built-in protections will prevent you from revoking those privileges.

Those rights make it all but impossible to remove "Update" from your phone. The malware registers as an Android receiver to make sure it doesn't lose those admin privileges, which means you're stuck with it once it's been installed. "An Android receiver is an Android component that gets triggered in accordance with registered events and actions," Zscaler explained. "In this case, it registers a receiver for an event titled, 'DEVICE_ADMIN_DISABLED,' which locks down the device for [a] few seconds whenever the user tries to disable admin privileges."

You can see this in action in Zscaler's video:

Zscaler said its security tool has blocked "over 300 instances of malicious APKs" from this campaign in the U.S. and U.K. over the last two weeks. The malvertising appears to be centered on various online forums, but Zscaler was "not able to locate the ads that were spreading this malicious app." It said this malware is used to display ads on affected smartphones, but its list of permissions could also let it do more nefarious things:

Mount/Unmount filesystemsRead/Write bookmarks history Overlay system windowWrite SettingsDownload Without Notification

Zscaler recommends you refrain from clicking unknown links, disable the ability to install apps from unknown sources, and prevent automatic downloads in your browser settings to make sure you don't fall victim to this campaign. This advice is generally sound--there's enough Android malware out there to make anyone think twice about letting apps from who-knows-where be installed by who-knows-who as soon as you visit a site with a malicious ad. (And the recommendation not to follow suspicious links applies no matter what platform you're using at the time.)

We'd add another suggestion: Never trust system messages filled with broken language. Many will display technical terms with which most people aren't familiar, sure, but the folks at Google typically don't write "detecting there's security loophole existing in your phone" or "leads to the risk of account and personal information be stolen." Tech companies aren't always clear in their messages to users, but they usually show a basic proficiency with the users' language of choice. This might not help as much as the other recommendations, but it's worth keeping in mind.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • shrapnel_indie
    HA! clicking on unknown links!!!! Yes, please follow the advice... DON'T click on unknown links. Doesn't help a whole lot when you got ads that automatically take over your display and redirect you to a download or present false security issues. Seems the industry doesn't give a rip about such despicable bullying and invasive adverts as long as the makers get paid and those who push them into rotation (sometimes filling whole rotations with a vast majority of such crap) also get paid.
    Reply
  • derekullo
    ALL YOUR PHONE ARE BELONG TO US

    It felt appropriate.
    Reply
  • mrmez
    Not all of them. There's an Apple comment somewhere in this ;)
    Reply
  • fatalman
    Even on m.tomshardware.com an amazon-looking site is opened and phone start to vibrate in chrome (not yet experienced with firefox+ublock origin). Back button doesnt work just closing the tab works.
    Does this mean i should treat m.tomshardware.com as unknown link?
    Reply
  • AgentLozen
    FATALMAN said:
    Even on m.tomshardware.com an amazon-looking site is opened and phone start to vibrate in chrome (not yet experienced with firefox+ublock origin). Back button doesnt work just closing the tab works.
    Does this mean i should treat m.tomshardware.com as unknown link?

    I've experienced my share of OBNOXIOUS ads that vibrate my phone, disable my ability to back out and have a speech component. I absolutely hate those.
    Reply