Lookout Upon closer examination of the device’s System Directory, researchers said, there were no overt signs that the Android device had been rooted. “Usually we would see a superuser binary and often a rewritten “install-system-recovery” script, which is used to ensure that root access survives upgrades.”
LevelDropper is just the latest in a wave of similar type autorooting malware to hit the Google Play store. Lookout said Google has recently given the boot to Brain Test, ShiftyBug, Shuanet, and Shedun that each bundled the autoroot exploit. As with these others, LevelDropper was also pulled from the Google Play marketplace.
With LevelDropper, the attacker’s intent appears to be to drive ad revenues.
“In cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue,” Streicher explains. In the case of the autorooting malware sample called Brain Test the attackers went so far as to hijacks the victim’s phone in order to post positive reviews of similar autorooting malware-laced games, he wrote.
Root exploits are not new and trace back to 2011 with the reported GingerMaster exploit that targeted Android 2.3 and gave attackers complete control over infected devices. That malware, also packaged in infected apps, collected data on the user and downloaded and installed apps on its own, without the user’s permission. More recently, in April, Blue Coat security researchers observed a weaponized version of the Towelroot jailbreaking utility used in tandem with ransomware attacks against Android device users.
According to a 2014 report by Lacoon Mobile Security, Android root access vulnerabilities affect most devices. The exploit is tied to a vulnerability in version 3.14.5 of the Linux kernel. The firm called the bug “Towelroot,” because it is the same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by the hacker George Hotz.