A new Android malware discovered by a cybersecurity firm has been discovered. According to the cybersecurity firms, this Android malware is the very first Android malware family developed using the Kotlin programming language. Kotlin is an open source programming language for modern multiplatform applications.
Way back in May 2017, Google stated that Kotlin is a first-class programming language for writing Android apps. And since its release, 17% of Android Studio projects had started using Kotlin – some of which are Twitter, Pinterest, and Netflix.
The Kotlin-based Android malware was first discovered by Trend Micro. The malware was found in an Android app called Swift Cleaner. This app is disguising as a legitimate phone utility app which was available in the Google Play Store.
At the time of writing, the Android malware does not have a name yet but Tend Micro detected it as “ANDROIDOS_BKOTKLIND.HRX”. The following package names listed below are the names of the packages where the malicious app was spotted on infected devices:
- pho.nec.sg.app.cleanapplication
- pho.nec.pcs
- pho.nec.sg
Luckily, Google has already removed the malware-laden fake Swift Cleaner apps from the Google Play Store so it’s safe to say that not many users were infected with this threat.
Once a user installs and opens Swift Cleaner, the Android malware will send the user’s device information to its remote server. Following that, it then starts to do background service to get tasks from its remote Command and Control server. And if it’s device’s first time to get infected, the malware will send an SMS to a particular number generated by the Command and Control server. Once the malware gets the SMS command, its remote server will start to execute URL forwarding and click ad fraud. Meaning to say, the malware operators are using both URL forwarding and click ad fraud to make the infected device click on ads and then secretly subscribe the device to premium SMS numbers.
“In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server,” Trend Micro stated on its report.
Up to this point, all the Android malware detected in the wild was mostly written using Java but the move to use Kotlin in infecting devices didn’t come off as a surprise to some security experts as this programming language has officially become the second programming language supported by the Android operating system – some even expect it to become the primary language in developing Android apps in the near future.