More than 20 countries were infected with adware mobile malware – Kemoge

In September, researchers at FireEye Labs discovered a group of malicious adware created by a company based in China and Singapore called NGE Mobi/Xinyinhe. On October 7, FireEye detected a similar adware family capable of completely taking over Android based devices. Researchers have named it kemoge after its CnC domain It is believed that this attack has its origins in China.


World infection map ! 

Until now, the malware has attacked victims in over 20 countries that includes China, Russia and the United States. The fact that several of the victims are large scale industries and even government is alarming. The attackers repackage the adware as popular apps which allows them to spread the malware easily.

apps malware

(Adware repackaged as popular apps. Image source:

Attack Scenario :

  • The repackaged app containing the malicious adware is uploaded by the attackers to third party app stores.
  • Users are encouraged to download the apps from the websites where the apps have been uploaded.
  • Several aggressive adware that gain the root control of Android devices automatically download and install the apps.
  • When these apps are launched, the malware gathers the device’s information and transmits it to the ad server.
  • From the background, Kemoge keeps serving ads to the users who keeping seeing them irrespective of the screen activity. Ads are served even on the Android home screen.

Initially, the malware looks like an innocuous adware to the users but soon it starts threatening the security of the device. In AndroidManifest, the malware registers MyReceiver that launches automatically when the users unlock the screen or the device finds a new network. When MyReceiver launches, it evokes MyService. Both MyReceiver and MyService use the prefix to disguise them as codes of Google. Few of these samples also use component prefixes such as,,


(AndroidManifest code snippet. Image:

When MyService launches, it searches for files such as info.mp4, hello.mp4 or bg.mp4 or any other similar file. These are in actuality multi-level encrypted ZIP files disguised as mp4 files. The malware uses password based encryption for protecting the contents of the ZIP file. This ZIP file is further encrypted with DES and the DES key is protected by the second DES key. The second DES key is then disassembled as code bytes. At the runtime, the ZIP files are decrypted in the reverse order by the malware. Second key bytes are assembled into the second DES key which is then used to unlock the first DES key. After the first DES key is decrypted, it unlocks the ZIP file and releases the payload.

After the file is unzipped, following files are extracted:

  • apk
  • sh
  • busybox
  • su
  • .root
  • root_001, root_002, root_003, root_004, root_005, root_006, root_007 and root_008

In total there are eight root exploits executable enabling Kemoge to target a wider range of Android devices. Once it gains root access, the malware implants AndroidRTService.apk in the system partition with the filename Launcher0928.apk which has the filename of a legitimate launcher.

When FireEye tested the malware, it was observed that the app tried to uninstall the antivirus app and other legitimate applications. It is possible that the malware did it to facilitate an attack on the device. FireEye also found one sample of Kemoge on Google Play Store, however its CnC and root exploits were removed. It is possible that CnC and the root exploits were removed from the version uploaded on Google Play Store to pass through its vetting process. However, the malware connects to and for ads.

FireEye has notified Google about the app and has warned users about the possible threats posed by this malware. Users are advised to refrain from clicking suspicious links or downloading apps from unofficial app stores.


Share Button

YiSpecter malware can infect non Jailbroken iOS devices

YiSpecter Palo Alto Networks has detected a malware capable of attacking even those non-jailbroken iOS devices. The researchers have named the malware as YiSpecter. It follows unique methods that involves exploiting private APIs in iOS and infecting them. Private APIs are undocumented by Apple and, therefore, avoid being detected. Apple’s App Store has around 100 such […]
Share Button
Continue reading →

Trading firm Scottrade hacked, loses information of 4.6 million customers

Scottrade hacked St. Louise-based Scottrade Inc. has sent out an email to its clients informing them of a recent cyber -attack that affected their systems. The company has revealed that they were alerted of the breach by FVI agents who have been investigating it since it occurred sometime between late 2013 and early 2014. It was further […]
Share Button
Continue reading →

Thousands of medical systems are exposed to widespread cyber-attacks – Derbycon

medical devices hacked fox Recent reports presented by Scott Erven and Mark Collao at Derbycon have revealed that thousands of medical systems are exposed to widespread cyber-attacks. The researchers reported that a giant U.S. medical organization with 12,000 staff and 3,000 physicians has over 68,000 systems that are vulnerable. The researchers indicate that this is just the tip of […]
Share Button
Continue reading →

An exploit can completely bypasses Mac’s malware Gatekeeper

Mac Gatekeeper malware Gatekeeper is the security feature of Mac OS X that protects users from malicious applications and code execution on their Mac computers. It warns Mac users from installing unsigned apps or the ones downloaded through an unencrypted connection. Gatekeeper does an efficient job of preventing the installation of Trojans and applications with malicious codes. However, […]
Share Button
Continue reading →

50 million users users impacted by WINRAR bug

WinRAR On 28th September 2015, a vulnerability was detected in WinRAR SFX v5.21. It is the latest version of WinRAR, a commonly used file compression tool. Attackers can exploit the vulnerability and compromise a computer with WinRAR installed on it. The bug is in the “text and icon function” under the module “Text to display in […]
Share Button
Continue reading →

Smartphone browsers can deliver powerful DDoS attack with 4.5billion requests causing Flood Attack

Bangkok Thailand -  January 10, 2015: Application and social media icons on smart phone screen One of the most malicious attacks that can ever be launched on a website is being flooded with multiple requests that it cannot handle, otherwise known as DDoS’es. According to internet security researchers, this nightmare may have recently become a reality after one site was targeted in such a manner with an aim of overwhelming […]
Share Button
Continue reading →

Two new Point of Sale malware targeted on Small and Medium Business in the United States

katrina_pos Two new malwares that affect point of sale (PoS) machines have been detected by the researchers at Trend Micro. The malware have been affecting small and medium sized businesses or SMBs, primarily in the United States. These two malwares have been named Katrina and CenterPoS by their developers. Trend Micro researchers had earlier reported PoS […]
Share Button
Continue reading →

Hilton Hotel credit Card Users fall victim of Fraudsters

hilton-hotel_650x400_81443293902 In the past few weeks, reports from several players in the banking industry have revealed that hackers may have gained entry into the financial system of the Hilton Hotel. The revelations indicate that the customers of the luxury hotel chain and its entities within the United States may have fallen victim to credit card fraud. […]
Share Button
Continue reading →

Android devices hijacked by Chinese company for guaranteed Clicks around the world

Fireeye Android Vulnerability_1 A mobile app development company has been identified as the perpetrator of distributing malicious applications globally and hacking the Android phones of users on whose devices these apps are installed. The apps grant complete access to the Android devices of the users and the attackers can gain total control over these devices. These malware apps […]
Share Button
Continue reading →