Image Source: http://blog.checkpoint.com/
Viking Horde is not a character from your favorite TV show but a new malware family currently creeping around Android devices. Security researchers at CheckPoint just released a report uncovering the new malware and the dangers it brings. Five apps on Google Play Store have been detected to spread the threat. Let’s see what Viking Horse is deployed for.
Viking Horde Technical Overview
Shortly put, the Android malware conducts ad fraud, but can also be deployed in other attack scenarios such as DDoS attacks and spam campaigns. Researchers warn that five, but possibly more, instances of the malware successfully bypassed Google Play’s malware scans. The Check Point research team already notified Google about the threat on May 5.
On all devices — rooted or not — Viking Horde creates a botnet that uses proxied IP addresses to disguise ad clicks, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots are used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.
Viking Horde can also deliver other malware payloads capable of remote code execution. Thus, the data on the device becomes prone to various dangers. The malware can also obtain root access privileges so that manual removal becomes really challenging or utterly impossible.
As already said, Viking Horde was found in five apps available on Google Play: Viking Jump, Parrot Copter, WiFi Plus, Memory Booster, and Simple 2048. However, the most popular of all five is Viking Jump, installed by more than 50,000 users. This is odd, to say the least, because the app doesn’t have good ratings. The other apps were installed between 50 and 5,000 times. The highest numbers of infected users that have downloaded the apps are situated in Russia, Lebanon, Spain, Mexico, and the US.
Viking Horde also employs several techniques to remain on a compromised device. The malware installs various components with system-related names to make their location and uninstalling more difficult.
In case the targeted device is rooted, two more techniques will be used:
- The app_exec component monitors the main application’s existence. If the user uninstalled the main application, app_exec decrypts a component called com.android.security and silently installs it. This component will be hidden, and run after boot. This component is a copy of itself and has the same capabilities.
- The watchdog component installs the app_exec component updates. If app_exec is removed, the watchdog will reinstall it from the update folder.
Security Measures Against Android Malware
Unfortunately, modern is so sophisticated that it often bypasses security checks, even the ones employed by Google. This is exactly what happened in the case of Viking Horde. If you have read the article carefully, you have definitely noticed that users who installed the compromised apps (Viking Jump, Parrot Copter, WiFi Plus, Memory Booster, and Simple 2048), didn’t pay any attention to their bad reviews and downloaded them anyway.
To avoid running into Android malware, always remember to:
- Research your applications before installing them. Pay attention to their reviews and other users’ comments;
- Check if the permissions the app asks are covered by the app’s functionalities;
App permissions are crucial to your device’s security, and respectively, to all the information you store on your device. If you want to learn how to control your apps’ permissions in the different versions of Android, jump to this article:
PS. If your device has been attacked by another form of malware, like ransomware, here’s how to restore it.