Kemoge Adware attacks Android devices in over 20 countries

Researchers at FireEye, an American security firm, have discovered a new malicious adware family that is rapidly affecting Android devices worldwide. Dubbed as “Kemoge”, the adware is suspected to have originated in China.

FireEye that Kemoge has affected users in more than 20 countries, including governments and large-scale industries, which allows for complete takeover of a user’s Android device. It disguises itself as popular apps via repackaging, so it spreads widely.

Upon initial launch, Kemoge gathers device information and uploads it to the ad server and then it pervasively serves ads from the background. This causes ad banners to pop up on mobile screen regardless of the current activity (ads even pop up when the user stays on the Android home screen).

In addition, the adware registers MyReceiver in the AndroidManifest to automatically launch when the user unlocks the device screen or the network connectivity changes. Researchers have provided a detailed report explaining how ultimately aps.kemoge.net is contacted for commands.

To dodge detection, Kemoge does not constantly communicate to the server. Instead, it only asks for commands on the first launch or after 24 hours from its last command. In each communication, it first posts the IMEI, IMSI, storage info, and installed app info to the remote server.

FireEye observed that all samples (examples of Kemoge) contain simplified Chinese characters in the code and that one sample is also published on Google Play.

The security firm suggests:

• Never click on suspicious links from emails/SMS/websites/advertisements.
• Don’t install apps outside the official app store.
• Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.)