Android malware which self-downloads is targeting users in the UK, US and France

Malvertising campaign leads to the download of two apps that are impossible to remove

An Android app that downloads itself via malicious advertisements posted on forums is targeting users in the UK, US and France.

The app, which was identified by IT security company Zscaler on the conspiracy forum GodLike Productions, forms part of a malvertising campaign, and begins as a malicious ad. It auto-downloads an Android APK to users who are accessing the forum website from their Android smartphones.

The app, dubbed Ks Clean, aims to fool users into thinking it is an Android cleaner app. However, only those users who manually launch the app to be installed are under threat.

Once the app is installed, a fake security update immediately pops up with no option for it to be cancelled or closed, leaving users no choice but to click ‘Ok' to dismiss the message. However, this immediately triggers a download of a second app which is called ‘update', that then asks for admin rights during its installation process.

Once the second app gains admin rights, it becomes impossible to remove from the device - the ‘uninstall' option is disabled by default because users cannot remove apps that have admin rights in Android.

Zscaler said that the way around this would normally be to uninstall apps by removing admin privileges via settings. However, the app uses the unconventional method of registering as an Android receiver to preserve its admin privileges.

An Android receiver gets triggered in accordance with registered events and actions. In this case, those who developed the app have ensured that the device is locked down for a few seconds whenever the user tries to disable admin privileges.

The app continues to then show the device owner advertisements even when the user is using other apps.

The researchers said they've tracked over 300 downloads of the first app in the past two weeks, with the most affected countries being the UK, US and France.

They also claim that the forum administrators ignored and deleted topics about the apps forcibly being downloaded onto their devices.

Zscaler said that Android users should safeguard themselves from this threat by not clicking on unknown links, disabling unknown sources and disabling auto-download in Android browsers.