14 DAY TRIAL // Android users’ vigilance is put to the test by cybercriminals who try to fool them into adding a rogue app on their device by disguising it as an ad-blocking tool.
A new strain from the Fobus malware family has been discovered to hide in plain sight, posing as a variant of the well-known Adblock Plus, a desktop browser extension that stops advertisements from loading.
Dodgy permissions should sound the alarm
Many Android developers offer their apps for free and introduce advertisements in them in order to cover their costs and make some profit. These could be annoying, especially in games, so it is understandable why users would seek an ad-blocking tool.
Security researchers at Avast have analyzed the new variant of Fobus, and apart from requesting permissions associated with spyware tools, the malware is also extremely difficult to remove from the device.
More than this, after it acquires administrator privileges, it deletes its icon from the screen and continues to function unhindered in the background.
The first sign of trouble is visible straight from the start, when the permissions list is presented. Among the requests there is the consent for making phone calls and sending messages to services that cost money; an ad-blocking tool has no use for this.
Once completely installed on the smartphone, getting rid of it proves to be a task for professionals, because the authors have integrated strong defenses against this sort of action from the user.
The researchers from Avast say that trying to strip it of the administrator privileges in order to proceed to remove it puts a lock on the screen.
A fast finger will get the job done
“The sneaky Fobus has a receiver which checks for calls on device_admin_disable_request. The moment the user tries to deactivate the device administrator, this receiver catches the request and forces the device to lock the screen with a call to the Lock Now function. This function prevents the user from confirming the deactivation,” says Jan Sirmer from Avast.
Any attempt to unlock the screen is followed by a re-lock action from the malware, with the confirmation box popping up for just a brief period of time, not enough to record the finger tap.
However, if the user does prove to be lightning-fast, a scare message appears informing that if the procedure continues, all the data on the device would be deleted through a full factory reset.
This is just an empty threat, Sirmer says, as Fobus will be stripped of its administrator privileges and the uninstall action will be able to complete successfully.
An alternative is to use third-party software, such as an antivirus product that includes the necessary routines to eliminate the app from the system.
