Malware subscribes victim to premium rate services

Jul 7, 2015 14:00 GMT  ·  By

A fraudulent copy of BatteryBot Pro, recently pulled by Google from its official Android store, mimicked the functionality of the legitimate app and carried covert ad-fraud activity.

BatteryBot Pro was created to offer Android users the possibility to view the battery charge level in the status bar, along with other useful indicators, like time left, temperature, battery health, voltage and the time passed since the last charge.

App requires admin rights upon installation

The app is popular among Android users, being installed up to 500,000 times. With over 1 billion monthly users, cybercriminals are constantly looking for new ways to push their malicious apps to Google Play and one of the methods is to impersonate a legitimate app and hope the fraudulent activity goes unobserved for as much time as possible.

This approach was also employed in the case of BatteryBot Pro. The fake version maintained the utility of the original, but included a larger list of permissions and added extra code for the ad-click fraud.

Researchers at security company Zscaler found the misleading app demanded administrative access upon installation, indicating intent to take full control of the victim’s device.

Click-fraud activity would run in the background, with multiple ad libraries loaded, ending with delivering an ad-click campaign.

Malware persists even after manual uninstall

“Some of these URLs were hard coded in the app and some were sent by the remote server,” Zscaler’s Shivang Desai says.

Apart from this, the malicious BatteryBot Pro downloads and installs other malware behind user’s back, which is fit for activities like displaying ads and sending text messages to premium-rate services, whose numbers are pulled from the command and control (C&C) server.

The malware was built to be extremely resilient to removal attempts and malicious activity would continue even if it is uninstalled manually.

“While  in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence. The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted,” explains Desai.

The thread functions as a service and continues to send requests to the hard-coded URLs for the C&C server, resulting in funneling in new fraudulent apps.

The researcher says that the analysis of the malware revealed traces of command execution, but this functionality was not fully implemented, suggesting that the malware author is still developing the code for an extended array of purposes.

Comparison of permissions between the original BatteryBot Pro and the fake variant
Comparison of permissions between the original BatteryBot Pro and the fake variant

Photo Gallery (2 Images)

Fake BatteryBot Pro resilient to uninstall action
Comparison of permissions between the original BatteryBot Pro and the fake variant
Open gallery