An Android malware detected on a popular forum is forcibly downloading on users' devices, which later installs a second app that intrudes further and is difficult to remove.
Security researchers from Zscaler say the malvertising campaign seems to be affecting malicious ads delivered on the GodLike Productions forum, a site that ranks in Alexa's Top 11K most popular websites on the internet. These ads force an Android APK to forcibly download.
When an APK app is present on an Android system, users need to manually launch the app to be installed. This app too needs to be launched and security experts say most users have launched it as they mistook it for an app clear.
The app is called Ks Clean (kskas.apk) and installing it triggers an immediate pop-up that looks like a security update notification but without any "cancel" or "close" button. Users can only click "Ok" to remove the message from the screen and operate their device.
On clicking OK, a second app is installed which asks for for admin rights during its installation process. Once this permission is granted, the app uses it to show pop-up ads on the users screen.
What's more worrying is that when users try to uninstall this second app which is called "update" they are unable to do it. In order to uninstall the user has to revoke its admin rights.However, the app freezes the user's device for a few seconds every time he/she attempts to remove it from the admin group.
Over 300 downloads of the first-stage app has taken place in just the past two weeks. The most affected countries were the US, the UK, and France although users from some other European countries have also downloaded the app.
How to prevent it?
Users need to disable auto-download in all their mobile browsers and turn off the "Unknown Sources" option in the Android Security settings section. This feature will prevent users from installing apps from outside the official Play Store.