A malvertising campaign detected on a popular forum is forcibly downloading an Android app on users' devices, which later installs a second app with more intrusive features and which is almost impossible to remove without flashing the user's phone.

Detected by security researchers from Zscaler, this malvertising campaign was currently only spotted via malicious ads delivered on the GodLike Productions forum, a site that ranks in Alexa's Top 11K most popular websites on the Internet.

Malvertising forcibly downloads app on users' phones

According to researchers, malicious ads displayed on this forum would auto-download an Android APK to users' devices accessing the site from their Android smartphones.

Under normal circumstances, this wouldn't be a problem as users need to manually launch the app to be installed. Unfortunately, not all users know this, and there are plenty of users who wanted to check out what this new app was and installed it.

This app's name is Ks Clean (kskas.apk), and it tries to pass as an Android cleaner app. Installing this app triggers an immediate popup that mimics a security update. Because there's no "cancel" or "close" button, users have no choice but to click "Ok" to dismiss the message.

Ks Clean app

This immediately downloads and installs a second app that is named only "update." This app asks for admin rights during its installation process.

Experts say that once the app gains admin rights, it will use them to show ads on the user's screen.

 

If users track down the source of these ads to the "update" app, they won't be able to uninstall it. Uninstalling the app requires first that the user revokes its admin rights. This isn't possible because by using a clever programming trick, the app will freeze the user's device for a few seconds every time attempts to remove its user from the admin group. A video of this "device freezing" trick is here. Enable closed captions (subtitles) for a walkthrough.

Forum admins have deleted topics about the malicious app

Researchers say they've tracked over 300 downloads of the first-stage app in the past two weeks. The most affected countries were the US, the UK, and France.

Even worse, it appears that the administrators of the forum where researchers spotted this campaign had ignored and even deleted topics where users complained about the site forcibly downloading apps on their devices.

Screenshots of deleted topics

Deleted GPL forum topic

Deleted GPL forum topic

To prevent being affected by this campaign, Zscaler researchers say users should disable auto-download in all their mobile browsers and turn off the "Unknown Sources" option in the Android Security settings section. This latter option is off by default, but some users and OEMs enable the feature for various reasons. When turned on, this feature allows users to install apps from outside the official Play Store, which is the only way the two apps above can be installed.

Report and image credits: Zscaler