Researchers at Zscaler have recently reported a malicious Android app that spoofed the legit app named BatteryBot Pro. The spoofed app contained the package name “com.polaris.BatteryIndicatorPro”. As soon as Google became aware of the malicious intent, the company removed the app from the Play Store.
Brief Summary of the Malicious App
The app requested inordinate permissions from the user in an attempt to fully control the Android device. The goal of the criminals behind this scam was to gather enough devices as it would have generated them profit from click fraud, premium SMS fraud and ad fraud. But their abusive intents didn’t end with this as they tried to provide downloading and installing other malicious Android packages called APKs.
Real vs. Malicious BatteryBot Pro App
The spoofed app BatteryBot Pro comes in a free and Pro version and is a well-known battery indicator app for Android devices. The legitimate app has been downloaded more than 500,000 times, according to Google Play statistics.
According to the researcher of Zscaler, Shivang Desai the malicious app requests dozens of permissions, and many of them are benign. The ill-intentioned include permission to send SMS messages, access the Internet, get accounts, mount and unmount file systems, download without notification and process outgoing calls.
In comparison with the malicious app, the permissions that the legit app requests are rather limited. They include reading and modifying the contents of a USB storage device, permission to run at startup, disable the lock screen, control vibration and prevent the device from sleeping.
→“Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access to the victim’s device. Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background,” explained Shivang Desai in a Zscaler report.
Furthermore…
In addition to the information for the disservice of the app, Zscaler pointed out collecting specific data from a device. Information from the available memory, the IMEI number, location, language, SIM card availability, the device model is obtained. Another disservice noticed is loading various libraries in order to pursue click fraud. However, the most annoying disservice is subtle receiving a list of ads to be displayed together with the URLs for where to bring in the ads. In a short time, the device begins to download more APKs and displays pop-up ads to the user.
However, the most staggering fact discovered is that as long as the app gains admin access it can’t be removed by the user.
→“The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted. This acts as a service and sends requests to hard-coded URLs found in the app,” said Desai.
Thus, a pathway between the device and the attacker is introduced and new requests can be made.