back to article Pop-up Android adware uses social engineering to resist deletion

A malicious Android app that downloads itself from advertisements posted on forums strongly resists removal, security firm Zscaler warns. The dodgy Android utility poses as "Ks Clean", an Android cleaner app. Once installed, the app displays a fake system update message in which the only option presented to the user is to …

  1. Your alien overlord - fear me

    If you've rooted your phone, chances are you've got a 3rd party app which uninstalls system apps anyway (gets rid of bloatware from phone manufacturers/telcos).

    1. DougS Silver badge

      So that helps, what, 1 or 2% of the user base?

  2. Anonymous Coward
    Anonymous Coward

    No other options but to press "OK"

    "Back" button?

    1. John Riddoch

      Re: No other options but to press "OK"

      Depends how it's coded, it could handle that as a "no action". You'd probably have to open up a task list and kill it off manually.

      In any case, that is horrifically bad English, so it's pretty obvious the author is not a native speaker. It would be interesting to see what a linguistic analysis of it could reveal about the author.

      1. Prosthetic Conscience
        Headmaster

        Re: No other options but to press "OK"

        that is horrifically bad English, so it's pretty obvious the author is not a native speaker

        One does not imply the other, but the latter definitely should ring alarm bells. I've seen some horrific English from my British colleagues, from customers as well, makes me cringe every time.

        1. Brenda McViking
          Headmaster

          Re: No other options but to press "OK"

          Lots of the present continuous being used with a lack of pronouns and a style that I find quite familiar. My guess (living here right now and reading English like this all the time) is that it is Indian in origin.

    2. Paul Renault

      Re: No other options but to press "OK"

      Perhaps the task switching button, then swipe the task left or right to kill it?

      1. DougS Silver badge

        Re: No other options but to press "OK"

        There's a special kind of horrific English that spammers and malware authors use that's distinct from the horrific English that some native English speakers use. It is impossible to confuse the two.

        If they'd just advertise on Craigslist in the US or UK for someone with an English degree to correct their spelling and syntax, they'd probably have a lot higher success rate in getting past what little skepticism the typical user has (yes, I know that misspellings in spam are deliberate to avoid filters)

        I wonder if they have better results for infecting their countrymen (Chinese or Russian, most likely)

        1. Allan George Dyer Silver badge

          Re: No other options but to press "OK"

          @DougS - "correct their spelling and syntax, they'd probably have a lot higher success rate in getting past what little skepticism"

          One possibility is that the intention of the bad spelling and syntax is to filter out targets with even a little skepticism. They only want the most gullible victims for stage 2.

          1. DougS Silver badge

            Re: No other options but to press "OK"

            Never thought of it that way, but it makes a certain kind of sense. They don't want to waste their time trying to talk a skeptical target into it. They want a credulous target who is dumb enough to believe anything.

            1. Stuart Halliday
              Unhappy

              Re: No other options but to press "OK"

              Which will be 99% of the market. If you've never worked directly with the general public on IT issues, you're in for a shocking surprise as they'll trust anything, anywhere.

          2. Bucky 2

            Re: No other options but to press "OK"

            One possibility is that the intention of the bad spelling and syntax is to filter out targets with even a little skepticism.

            It sounds logical. But writing malware, to me, would be a lot of stress. What if you get caught? What if you extort money from someone who can't really afford it, like someone's grandmother or something?

            No. You write malware because you don't have the option of making a decent living doing normal programming, and then going home, and sleeping peacefully through the night.

            The best reason I can think of for the lack of options, is that your salable skills are iffy.

            1. DougS Silver badge

              Re: No other options but to press "OK"

              The guy who writes the malware and the guy who distributes it usually aren't the same.

      2. JetSetJim Silver badge
        Mushroom

        Re: No other options but to press "OK"

        > Perhaps the task switching button, then swipe the task left or right to kill it?

        Press and hold the power button, restart device.

        Swipe down and toggle airplane mode on - connection timeout...

        Or take the icon option, from orbit, preferably

    3. Mark Simon

      Re: No other options but to press "OK"

      Unless, of course, you take the Microsoft approach and interpret Back as OK.

  3. Planty Bronze badge
    FAIL

    bzzzttt wrong...

    "A malicious Android app that downloads itself from advertisements posted on forums "

    Try again. I does nothing of the sort. even withstanding you need to have turned off only allowing browsing in the Google Store, after ignoring the warnings of doing so, AND you oped out of the app scanning, even then, it doesn't "download itself". It's a message dialog generated by the BROWSER that is trying to fool you into downloading and installing an APK.

    If you can't understand these basics, should you really be writing about security?? Just sayin'

    1. Anonymous Coward
      Anonymous Coward

      Re: bzzzttt wrong...

      This sort of thing succeds because.. there are so many reasons why including user stupidity. I wish that Google would copy apple when it comes to app security. For some reason they have a lot less problems like this.

      There are times (like this) that the Apple walled garden seems rather attractive.

      1. Anonymous Coward
        Anonymous Coward

        Re: bzzzttt wrong...

        Problem is of course, Jailbroken Apple devices have EXACTLY the same attack vector. Windows devices have had that same attack vector (without needing to root, or change anything).

        If you are jailbroken (which in the Apple world, is essentially the same as ticking the "allow installation of apps from untrusted sources" checkbox on Android), then guess what? Yep, a webpage can show a system dialog (as Safari also uses system dialogs in the browser), that makes it look like you need to download a file to install. If you install that file, you have become infected.

    2. Chunes

      Re: bzzzttt wrong...

      "Try again. I does nothing of the sort. even withstanding you need to have turned off only allowing browsing in the Google Store, after ignoring the warnings of doing so, AND you oped out of the app scanning, even then, it doesn't "download itself"."

      No offense, but if you don't understand grammar should you really be writing?

      1. Anonymous Coward
        Anonymous Coward

        Re: bzzzttt wrong...

        doesn't make it any less untrue...

    3. Uffish

      Re: "If you can't understand these basics"

      The bloody basics are that there is a bit of nasty out there that gets itself admin privileges. For that heads up I am grateful to El Reg.

  4. Anonymous Coward
    Anonymous Coward

    GodLikeProductions?

    A home of the tinfoil hat brigade posturing about exposing all sorts of nasties? Pot: kettle here you are black.

  5. Comments are attributed to your handle
    Mushroom

    Taking a page from Microsoft's Windows 10 upgrade "feature"

  6. Hstubbe

    Ah, zscaler. They actually think mitm-ing all traffic and downgrading to tls 1.1 is helping me become more secure. Clueless company who probably released this scary story to sell more of their intrusive crap. Nothing to see here folks, this is just marketing.

  7. Anonymous Coward
    Anonymous Coward

    don't worry Google can issue a patch and OEMs won't give a shit to update your phone because your no longer a customer the moment you press pay... just an unnecessary cost.

    Good luck.

    1. Anonymous Coward
      Anonymous Coward

      Horray for Clever Google! Releasing patches they know won't be applied and shipping an OS without an OTA update mechanism! Boo to the evil OEMs, taking that free software because it's free and putting the bare minimum effort into getting it to run.

      You are right about one thing, once you press pay you're no longer a customer, but you're not an unnecessary cost either, you're a google ad trackee and revenue stream, with all your keyboard activity (by default on marshmallow) punted to Google for "analysis".....

  8. Cuddles Silver badge

    Joke's on them

    My phone would have to actually receive security updates before I could be fooled into installing malware pretending to be a security update.

  9. bombastic bob Silver badge
    Mushroom

    a special place in hell

    for those who write [cr]apps like this

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019