QuadRooter: Unfortunately, you can’t have it patched for now

ESET researchers have spotted fake patch apps for Android – probably the first ever malicious mobile apps masquerading as a patch for a recently discovered vulnerability.

ESET researchers have spotted fake patch apps for Android – probably the first ever malicious mobile apps masquerading as a patch for a recently discovered vulnerability.

Soon after the discovery of the QuadRooter vulnerability, a remedy appeared on the Google Play app store. Unfortunately, neither of the two apps named “Fix Patch QuadRooter” by Kiwiapps Ltd. would patch the Android system. Already pulled from Google Play on ESET’s notice, these apps were malicious, serving their victims with unwanted ads. On top of that, one of them required payment (costing 0.99 EUR).

In connection with this discovery, we put a few questions to Lukáš Štefanko, an ESET researcher specializing in Android malware.

How big a deal are those two fake patch apps you discovered?

In terms of the harm they’ve caused, it was marginal. They only reached a limited number of downloads and even those who ran them didn’t experience anything terrible. Those apps simply served their victims with ads. That’s all the harm – apart from that one-euro charge for those who opted for the paid version.

However, this is the first time we’ve seen this type of cover specifically for mobile malware. To be clear, in the past we have seen this technique used in the world of Windows. In that instance, hackers tricked online stores into installing a fake security patch for a critical vulnerability in the Magento ecommerce platform. That so-called “ShopLift bug” allowed attackers to easily gain admin access to vulnerable e-stores. One of the attacks – opened one full year after the vulnerability was patched – relied on a fake patch that delivered malware, which then exploited the very bug that it was supposed to be fixing.

Well then, mimicking a patch may be a believable cover …

Yes, and that is what’s really interesting; it targets a new audience – those who do care about the security of their system.

In the Android ecosystem, the most common covers for malicious apps are connected to popular games: free versions, tutorials, cheats … Quite frankly, security is not a top priority for those who fall victim in such cases.

Do you expect the bad guys will start using fake patches on a massive scale?

Hopefully not. However, we should make people aware of this threat.

What worries me, for example, is that fake patches – on top of having the potential to really attract users’ attention – have a valid reason to require every possible permission.

“If an app promises to make a fix within your system, it’s a scam. Period.”

And that’s true – if they are supposed to fix the system, no one would complain about excessive rights … The problem is that people don’t know that an app can’t act as a system patch.

If an app promises to make a fix within your system, it’s a scam. Period.

Please, could you highlight this in your article?

Yes, it will scream from the page. Hopefully, it’ll work. By the way, how can users fix QuadRooter vulnerabilities if fake patches don’t work?

What’s important is that QuadRooter needs to be delivered in the form of an app. It’s a threat only if you have “Unknown Sources” enabled in your settings and manually install an app from some untrusted source. On the other hand, if you have Android’s “Verify Apps” feature enabled –enabled by default in all Android versions since 4.2 Jelly Bean– you are protected. When trying to install an app using the QuadRooter exploit, Android would display the “Installation has been blocked” message – and leave you with no option to ignore the threat and install the app anyway.

That’s fine, but it’s kind of a last line of defense while having the system vulnerable, at least technically, right?

You are right, but patching is not an easy thing in the Android ecosystem.

A true patch has been prepared by Android developers for three of those four vulnerabilities, the remaining one being under current development. And as for patching your system, it depends on your device’s manufacturer. For the foreseeable future, most users will have to rely on the Verify Apps line of defense …

… and not fall victim to some contextual attack.

True. Look, you often face news about a staggering number of endangered users. But the real importance of a threat often has nothing to do with those numbers. If you stick with the very basic rules for safe behavior, you are reasonably safe.

That said, over time you should observe and learn new lessons. The actual one here is if an app promises to make any fix to your system, it’s a scam.


Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center