Researchers from Trend Micro recently discovered a new type of malware family, Godless, capable of rooting close to 90 percent of Android devices. The malware has a set of rooting exploits that can be used to target different Android malware versions. Early variants of the Godless malware family relied on a local exploit binary, libgodlikelib.so, while the new variant only fetches the exploit and payload from the C2 server hxxp://market[.]moboplay[.]com/softs[.]ashx in order to bypass security checks in app stores, allowing malicious apps into the Google Play Store. At the time of the Trend Micro article, Godless had infected approximately 850,000 Android devices globally, with the majority in Indonesia, India, and Thailand. The most prominent vulnerabilities the malware exploits are the PingPongRoot exploit (CVE-2015-3636) and the Towelroot exploit (CVE-2014-3153). When the Android device is effectively rooted by the malware, the attacker can infect the device with additional malware and install backdoors to spy on the victim.
- June 2016: Godless mobile malware can infect 90 percent of Android devices. (Graham Cluley)
- Additional technical details on the Godless malware family are provided by Trend Micro, available here.