Savvy Internet users know not to click on strange links, but malvertising — malicious code hidden within otherwise innocuous advertisements — presents a more pernicious problem.
A new malvertising campaign isn’t content to just redirect your web browser to unsafe sites. If you're using an Android phone, it downloads and installs an Android app that can compromise your entire phone, with no known panacea. The trap is easy to avoid, but once it’s sprung, it’s sprung for good.
This information comes from the Zscaler ThreatLabZ team, a San Jose, California-based security firm. Zscaler discovered the issue by scouring the Godlike Productions forums, a hotbed of UFO and conspiracy theory activity. For once, the tinfoil-hatted commenters had it right; someone really WAS out to get them, and that someone was a cybercriminal.
What You Need to Do
The good news is that avoiding the problem is extremely simple, and you may not even be susceptible to it in the first place. In order for apps from sources other than the Google Play store to be installed, users must go into Security-->Settings and allow apps from "Unknown Sources." That function is a security risk, and is disabled by default.
Still, if you use third-party app stores (like the Amazon Appstore), you've already enabled Unknown Sources. To disable the feature, check your phone’s settings. Enabling and disabling third-party app installation will be under the Security menu, although that menu's location may vary depending on your phone.
Advertisements on the forum automatically installed an Android APK known as "kskas.apk" to users' phones. The program calls itself "Ks Clean" and promises to clean out Android device. Once installed, though, it claims that the phone is vulnerable to a security loophole and requires an update to safeguard the device.
The update, of course, is in reality another app, and a much more malicious one. This one requires administrative privileges to install, which means that the "update" app can control your phone at the deepest level.
A Godline Productions page, surrounded by iffy ads. Credit: Godlike Productions
Once installed, the update app takes no interest in either cleaning your system or plugging security gaps. Instead, it plasters your home screen with obnoxious advertisements. While it doesn’t seem to be anything more malicious than that at the moment, it does communicate to its masters using a fairly complex command-and-control server, and could distribute actual malware if its creator so desired.
Uninstalling the app is impossible, since "update" controls the device at an administrative level. Any attempt to get rid of it forces the phone into a lock screen, and at the time of writing, there's no way around it. Your only recourse is to perform a factory reset on the phone. Depending on how much data you have saved on your device, this could range from inconvenient to disastrous.
If you have to keep installing third-party apps, you can still avoid this particular menace by just denying Ks Cleaner or its update permissions when they try to install. A good Android antivirus program should also catch the app and quarantine it before it has a chance to do any damage.
As for Godlike Productions, Zscaler was unable to find the particular ads that triggered the malicious APK, so they could be gone by now. The truth, as the site’s adherents might say, is out there.