ANDROIDOS|GODLESS on 850K Android devices




ANDROIDOS|GODLESS on 850K Android devices


Apps distributed from Google PlayStore

An advisory posted on the Trend Micro Security blog states that 90% of Android devices (any Android 5.1 build or lower) are vulnerable to a remote exploit that can apparently attempt to be stealthy while rooting the device. It’s called Godless, and it has already impacted close to a million devices world-wide. India and Southeast Asia are feeling the wrath, with that region responsible for over 70% of the devices reported thus far.

A chart showing pain...lots of pain
A chart showing pain…lots of pain

Mobile Threats Analyst, Veo Zhang:

We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets. By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90% of Android devices run on affected versions. Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.

It waits until you turn the lights off

The advisory states that the malware can come from approved apps on the PlayStore, but there were other variants of Godless on other servers. While the malware had the propensity to spy on the victim, it seems the main purpose of the code was to install other apps, and deploy code that mitigates the security checks Google runs on apps. The desired end is to artificially inflate installed base metrics on application stores like Play and others.

To accomplish this, it acquires your Google Account credentials.

  1.  CVE-2015-3636 (used by the #PingPongRoot exploit)
  2. CVE-2014-3153 (used by the #Towelroot exploit)
Android-rooting-tools exploits found in

Once a user downloads these malicious apps, the malware waits until the affected device’s screen is turned off before proceeds with its rooting routine.

…We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play.

Examples of Apps

We found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games. For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code:

Flashlight app Godless
Flashlight app wit’s godless code

Earlier Godless variants drop a system app that implements a standalone Google Play client. This payload steals affected Google credentials in order to download and install apps from the said app store. Users may then receive unwanted apps “promoted” by the payload. Another purpose of this routine is to fraudulently improve certain apps’ Google Play ranking.

There is absolutely nothing wrong with rooting one’s mobile device. It can have several benefits in terms automation, performance, and basically getting the most out of a device. But when a malware roots a phone without a one’s knowledge, that’s where the fun stops.

Keep these tips in mind when installing applications

  • Always review the developer.
    • Unknown developers with very little or no background information may be the source of these malicious apps.
  • Download apps from trusted stores.
  • Use a mobile security service that can mitigate mobile malware.


%d bloggers like this: