What is Kemoge?
- Talking Tom 3
- Assistive Touch
- WiFi Enhancer
How does Kemoge Work?
- The attacker sets up a genuine looking interface and uploads the apps to third-party app stores and plays smart by promoting the download links via websites and in-app advertisements.
- Some aggressive ad networks gaining root privilege can also automatically install the samples.
- Once activated on the device, Kemoge collects device information and uploads it to the ad server, then it slyly serves ads from the background.
- Victims get ad banners frequently regardless of the current activity as ads even pop-up when the user remains on the Android home screen.
Kemoge even Affects Rooted Devices
“After gaining root, it executes root.sh to obtain persistency,” FireEye researchers said. “Afterwards, it implants the AndroidRTService.apk into /system partition as Launcher0928.apk — the filename imitates the legit launcher system service. Moreover, the package name of this apk also looks like authentic services, e.g. com.facebook.qdservice.rp.provider and com.android.provider.setting.”
How does Kemoge Evade Detection?
- Uninstall designated applications
- Launch designated applications
- Download and Install applications from URLs given by server
How to Protect Against Kemoge?
- Never click on any suspicious links from emails, SMS, websites, or advertisements.
- Never install apps outside of the official App Store.
- Keep your Android devices up-to-date in order to avoid being rooted by public known vulnerabilities (Upgrading device to the latest version of OS provides some security but doesn’t always guarantee protection).
- Uninstall the app showing Ads.