FireEye Labs mobile researchers discovered a malicious adware family quickly spreading worldwide that allows for complete takeover of an Android user’s device. This attack is created by a mobile app promotion company called NGE Mobi/Xinyinhe that claims to be valued at more than $100M with offices in China and Singapore.
The malicious adware uses novel techniques to maintain persistence and obfuscate its activity, including installing system level services, modifying the recovery script executed on boot, and even tricking the user into enabling automatic app installation. We have observed over 300 malicious, illegitimate versions of Android apps being distributed, including: Amazon, Memory Booster, Clean Master, PopBird, YTD Video Downloader, and Flashlight.
By taking control of mobile devices via its adware, NGE Mobi is able to “guarantee” downloads of the apps it gets paid to promote. They also generate ad revenue by serving ads via full control of a victim’s device.