Kotlin-based Android malware discovered in Google Play Store

by Ugnius Kiguolis - - 2018-01-12

First Android malware created in open-source programming language Kotlin detected in Google Play Store

New variants and updates of Android virus^[1] emerge frequently. Recently, a brand new mobile malware was detected in Google Play Store. The significant feature is that it is created in Kotlin programming language which was announced as a first-class language for Android apps.^[2]

Researchers from Trend Micro^[3] detected it as ANDROIDOS_BKOTKLIND.HRX. According to their data, a malicious app was downloaded from 1,000-5,000 times. The malware was presented as Android optimization app called Swift Cleaner in the official Play Store.

This Kotlin Android malware can get remote access to the affected smartphone or tablet. It can also send SMS on behalf of the user or sign up for various premium SMS services. The mobile virus might perform ad click fraud and URL forwarding. However, the biggest damage it might cause is victim’s identity theft.

Swift Cleaner virus features and activity

Once malicious Swift Cleaner app is installed in the system, it collects device’s information and sends it to the remote Command and Control (C&C) server. Additionally, it launches specific processes in the background in order to get and execute tasks received from C&C server.

The first task malware receives – to send SMS message to the particular number that is given by the C&C server. Then server launches URL forwarding and ad click fraud activities. Malware compromises Wireless Application Protocol (WAP) and injects malicious Javascript code to perform ad click fraud.

Additionally, Kotlin virus can extract information about user’s service provider, login information, and similar sensitive data. What is more, it can sign in user’s phone number for premium SMS services and make him or her pay for it.

How criminals managed to use Kotlin for illegal purposes is unknown

In May 2017, Google announced that Kotlin is the first-calls language for creating Android apps.^[4] This open source programming language was used for creating about 17% projects for the Android operating system.

Additionally, some of the most popular apps, such as Netflix, Twitter or Pinterest, use Kotlin because it allows creating safer applications. Among other cons of this coding language is the ability to use libraries for HVM, Android and web browser.

However, it’s still unknown how criminals managed to take advantage of this open-source language to create another Android virus. Unfortunately, evil-minded people always find a way how to exploit legit and safe open-source codes for their malicious purposes. Similar problems exist with Chromium and HiddenTear^[5] projects.

Thus, Internet users should be aware of the possible threats that might be hiding even in the legit app download sources and always double-check the information before downloading app or program to their devices. Cautiousness helps to protect privacy and digital data.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Jake Doevan. Android virus. How to remove? (Uninstall guide). 2-spyware. Cyber security and spyware news.
^ Paul Miller. Google is adding Kotlin as an official programming language for Android development. The Verge. Covers technology, science, art, and culture themes.
^ Lorin Wu. First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services. Trend Micro blogs. Security news, views and opinion.
^ Maxim Shafirov. Kotlin on Android. Now official. JetBrains blog. The official company blog.
^ Catalin Cimpanu. Hidden Tear Open-Source Ransomware Spawns 24 Other Ransomware Variants. Softpedia news. Latest news and reviews.