Malicious Android App Installed by Thousands of Users

Trend Micro discovered an application in the Google Play store imitating Swift Cleaner, a tool marketed as a junk file cleaner for Android devices. Developed using Kotlin, an open-source programming language, the app has the ability to execute code remotely, steal data, send SMS messages, forward URLs, and conduct click-fraud on infected devices. Detected as ANDROIDOS_BKOTKLIND.HRX, this malicious application operates by uploading information to a C2 server including CAPTCHA images, service provider data, and login information. Upon upload, the target device is automatically enrolled in a premium SMS service subscription. The NJCCIC recommends users who installed the malicious Swift Cleaner app uninstall it immediately and review Trend Micro’s report for Indicators of Compromise (IoCs). Monitor mobile phone bills for suspicious and fraudulent charges generated by the SMS service and report them to your mobile carrier immediately. Additionally, we recommend running a reputable antivirus application on all devices, avoid downloading apps that require excessive device permissions, and refrain from downloading any apps from third-party, unofficial app stores.