days
-4
-4
hours
-1
-7
minutes
-2
-1
seconds
-5
-3
search
Swift Cleaner is the culprit

Researchers may have discovered first Kotlin-developed Android mobile malware

Gabriela Motroc
Kotlin

© Shutterstock / BadBrother

Trend Micro has detected a malicious app which seems to be the first developed using Kotlin. Swift Cleaner, a utility tool which cleans and optimizes Android devices “is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud.”

Lorin Wu, a mobile threats analyst working for Trend Micro, an IT security solutions provider explained in a recent blog post that the company has detected a Kotlin-developed malicious app. Swift Cleaner, a utility tool which cleans and optimizes Android devices had already been installed 1.000-5.000 times by the time the blog post was published (January 9th, 2018).

The bad news is that this app is capable of the following things, Wu wrote: “remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.”

This is how Swift Cleaner works

When users open Swift Cleaner, the malware sends their device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device is infected the first time, the malware will send an SMS to a specified number provided by its C&C server, then the remote server will execute URL forwarding and click ad fraud, according to the blog post announcing the malware.

In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.

SEE ALSO: Kotlin 1.2: Multiplatform projects across the JVM and JavaScript

There’s more: the information of your service provider, the login information and CAPTCHA images can also be uploaded to the C&C server. Next, the C&C server automatically processes your premium SMS service subscription (a.k.a. this might get pricey).

Trend Micro has informed Google. For more details about how to see whether your device has been compromised and more details about the malware, check out Wu’s blog post.

Author
Gabriela Motroc
Gabriela Motroc is editor of JAXenter.com and JAX Magazine. Before working at Software & Support Media Group, she studied International Communication Management at the Hague University of Applied Sciences.

Leave a Reply

Be the First to Comment!

avatar
400
  Subscribe  
Notify of