LevelDropper Android App Infected with Autorooting Malware

Share this…

Rooting malware is getting more popular with every new week.  Security experts from Lookout have identified an app in Google Play Store that hides malware capable of rooting the user’s device in order to install unwanted applications.

The app’s name is LevelDropper and is a digital version of a common tool found on construction sites and a handyman’s toolkit.

The problem is that, after users install this app, they might notice an empty popup window appear for the LocationServices.

App uses privilege escalation exploit to root Android devices

According to Lookout’s experts, this is a red flag because it is a sign that an Android OS service has just crashed. These types of crashes are how exploits manifest themselves.

Behind the scenes, the malware hidden in LevelDropper’s code starts executing its malicious code and exploits the crash to escalate its access to the root user.

After analyzing the app’s entire code, Lookout researchers say the app didn’t feature any new rooting functions, but leveraged rooting exploits already available in the wild.

Normally, these types of exploits should have been detected by Google’s Bouncer, a security system used to scan apps before being added to the Play Store.

LevelDropper installs 14 rogue apps in half an hour

Lookout says that, 30 minutes after it installed LevelDropper, the app had already downloaded and installed 14 applications, all without user interaction.

Analyzing the infected phone’s filesystem, researcher failed to find the regular aftermath left behind by most rooting exploits, meaning the crooks took special care to hide their actions.

Besides the privilege escalation rooting exploit, researchers claim they also found two privilege escalation exploits and supporting package files such as SuperSU, busybox, and supolicy. These two additional privilege escalation exploits also had the ability to root the device.

Only last week, Trend Micro security researchers found the Godless malware, which also used rooting exploits to root Android devices and later install adware and unwanted apps. Godless’ collection of rooting exploits made it efficient against 90 percent of all Android phones on the market today.

LevelDropper app's modus operandi