LevelDropper: A takedown of autorooting malware in Google Play
June 2016 by Coline Magne
LevelDropper, an app in the Google Play Store that Lookout determined to be malicious, is the latest example of a new and persisting trend in mobile threats: autorooting malware. Lookout discovered the app last week and worked with Google to have it removed. All Lookout customers are protected from this threat.
At first glance, LevelDropper seemed to be a simple app to use instead of a physical level from your toolbox, but upon deeper analysis, it turned out to conceal its malicious behavior. The term “autorooting malware” represents a classification of mobile malware that silently roots a device in order to perform actions only possible with more privileges. In this case, LevelDropper stealthily roots the device and goes on to install further applications — many of them — to the victim’s device.
A closer look at LevelDropper
Immediately after running LevelDropper, Lookout noticed that the LocationServices window popped up blank. This is a significant red flag. It often indicates a potential crash that can be taken advantage of to gain an escalation in privilege. Shortly after, new applications not previously installed on the phone slowly began to appear. The app never prompted the user to install the additional apps, which generally indicates that the application must have root access. It is not possible for an application to download and install additional apps without user interaction unless the app has root access to the package manager. The following screenshots show the installation and running screens. While Lookout only show two additional apps being installed here, the amount increases the longer it runs. After about 30 minutes, Lookout found 14 applications downloaded, without any user interaction. After closing out the app, a second icon appeared on the launcher.
Lookout had already determined that the malicious app must have root access in order to install apps silently, but when they looked through the /system directory, they didn’t see the typical indicators that a device is rooted. Usually they would see a superuser binary and often a rewritten “install-system-recovery” script, which is used to ensure that root access survives upgrades. Lookout found neither. The only evidence they could uncover was the fact that the system partition was writable (usually it is mounted in read-only mode to prevent modifications); all other evidence appears to have been removed.
When they investigated the binary files contained in the package, Lookout found two privilege escalation exploits and some supporting package files such as SuperSU, busybox, and supolicy. Both of the exploits appeared to use publicly available proof of concept code to gain root access. The malicious app also included additional APKs that make use of root privileges to display obtrusive ads in a way that is difficult to get around.
Malware rooting devices, a trend
In the recent past, they’ve seen a number of families that also automatically root a victim’s device, though these may be more sophisticated and persistent. In cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue.
If you are infected by LevelDropper, you can perform a factory reset on the device to get rid of the malware. Install a security app that can alert you before you install a malicious application in the future.