If You Visited This Site, You May Have Been Infected
Posted by aonenetworks On June 17, 2017Do you visit the GodLike Productions forum? If you’re not sure what that is, then you don’t have anything to worry about, but if you’re a member of that forum, you may have been infected by a particularly nasty malvertising app.
Check your device. If you see an app called “KS Clean” (kskas.apk), then you’re infected.
The app passes itself off as an Android App Cleaner designed to analyze apps you don’t use with frequency and delete them to save space on your device. A handy thing, but unfortunately, KS Clean doesn’t actually do that at all.
Once you install it, what it does instead is trigger the installation of an “update” which poses as a security update. Unfortunately, there’s no “cancel” or “close” button on the popup window. The only option is to click “Ok” to dismiss, which allows the installation to proceed.
Of course, the update demands admin access, and once it has that, it will relentlessly display unwanted advertising on your phone. Even worse, at this point, there’s no way to safely remove the app, save for flashing your phone and restoring it to factory defaults. Understandably, most people loathe doing this because reloading contacts and content is a painful, time consuming experience.
The rogue app was spotted by researchers from Zscaler, who report that there have been more than 300 stage one downloads and installations via the forum. The victims come primarily from France, the UK and the United States.
What’s even more troubling than the fact that this app is coming from advertising displayed on a popular forum is the fact that several users started threads complaining about the malicious app, only to see the forum administrators lock, then delete them.
In short, if you visit the GodLike Productions forum, you should check your phone to see if you’ve been infected. If so, you’re going to have to resign yourself to restoring your phone to factory settings to get away from it.