Golem trojan abuses Android's Input tool

Mar 6, 2016 00:22 GMT  ·  By

A new variant of an older trojan is making the rounds, and this threat has the ability to mimic user behavior, a feature that it uses to boost the malware operator's profits.

This new trojan, nicknamed Golem, is a variant of the Ghost Push malware family on which we reported last September. Ghost Push is an Android trojan with rooting capabilities, which is mostly found in apps distributed through third-party app stores, employed mainly to show unwanted ads to users.

The difference between Golem and Ghost Push is the fact that Golem got a new functionality that abuses a built-in Android feature called "Input," reports Cheetah Mobile, a leading Android developer responsible for popular apps like Battery Doctor, Clean Master, CM Browser, CM Security, and CM Launcher.

The Input tool is prepacked in Android devices and allows developers to conduct automated testing procedures by mimicking user behavior, even simulating touch interactions and keyboard input.

Golem is abusing Android's Input tool to simulate user behavior

The company found that, after rooting the device, Golem was downloading unsolicited apps on the device, opening these apps, and abusing the Input tool to simulate user interaction, with the app and its ads.

Cheetah Mobile is reporting that over 40,000 Android users have been infected and that the number is growing by the day. Most of the victims are from South East Asia, and the hardest hit countries are India, Indonesia, and the Philippines.

"Since Golem can control devices remotely and automatically launch and run applications without a user’s consent, these malicious behaviors will consume a lot of network data, battery power, and local device resources, slowing down phones as a result," a Cheetah Mobile security expert explains.

Because the trojan gets root privileges, removing it from affected systems might require users to start their Android in safe mode, something much harder than many people expect. Additionally, Cheetah Mobile is also offering an app called Stubborn Trojan Killer, via the official Google Play Store, which can remove this trojan and the older Ghost Push.

Top countries infected by Golem trojan
Top countries infected by Golem trojan

Photo Gallery (2 Images)

Golem trojan can root Android devices
Top countries infected by Golem trojan
Open gallery