Trend Micro uncovers first Kotlin-developed mobile malware

Kotlin mobile malware promises to improve Android performance - but signs-up users to premium-rate SMS services instead

Security researchers at Trend Micro claim to have come across the world's first malware-infested app developed on the Kotlin open-source platform.

Kotlin is a programming language intended to help developers build multi-platform software.

According to researchers at the company, users who access the dodgy app are signed up for premium SMS services without their consent or knowledge.

The security company became concerned when it came across Swift Cleaner, a tool that promises to maximuse the performance of Android devices.

Available from the Google Play Store, cyber crooks can use the app for remote code execution, data theft, URL forwarding, advertisement fraud and even SMS sending. "It can also sign-up users for premium SMS subscription services without their permission," warned researcher Lorin Wu.

"We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin - an open-source programming language for modern multiplatform applications," explained the researcher.

Announced by Google in May 2017, the technology giant pitched Kotlin as premium language for creating Android apps. And since being released, around 17 per cent of Android Studio Projects are using it.

High-profile companies such as Twitter, Netflix and Pinterest all use Kotlin for mobile apps - a reflection of its rapid rise in popularity. "Kotlin is described as concise, drastically reducing the amount of boilerplate code," said Wu.

Kotlin is described as safe "because it avoids entire classes of errors such as null pointer exceptions; interoperable for leveraging existing libraries for JVM, Android, and the browser; and tool-friendly because of its capability to choose any Java IDE or build from the command line."

That hasn't prevented hackers from using it to create malware, though. Trend Micro, in its research, suggested that "it's still unknown if the above-mentioned features of Kotlin can make a difference when creating malware".

When users open up the malware-infected Swift Cleaner app, their device information is sent to a remote server. It then uses a "background service to get tasks from its remote C&C server".

Wu continued: "When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server.

"After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud. In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task.

"After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern."