What is alarming that the spoof app looks like has got past Google’s self-praised Bouncer app vetting system. The company thinks that the malicious version of the BatteryBot battery indicator app was most likely making an effort to bring together an army of compromised devices for premium SMS scams, click fraud and ad fraud. The bogus BatteryBot Pro that has now been removed from Play Store was offered for free (the real thing sells for Rs. 179.99, approx US$2.84). As Shivang Desai of Zscaler writes, its plans were disclosed by the permissions it tries to get from the user. (basically, everything). It also makes an attempt to collects many device stats like available memory, language, phone model, IMEI, location, carrier, and SIM card availability. Specific red flags recognized p by the group were the bogus attempting to find administrative control over a downloader’s device. Loading of fraudulent ad libraries was included in the background activity. “Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim’s device”, Desai writes. “Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.” The SMS fraud is conducted by contacting a command and control server through the malicious app in order to get premium-rate SMS numbers. This would enable the criminals in charge of the app reply with new target numbers if someone like a carrier cancelled the scam accounts. The app is very difficult to delete with admin privileges granted to it and it is beyond the ordinary user. A separate persistence package called com.nb.superuser runs on a different thread and withstands deletion of the main app. If the user roots their phone and kills the malware, it allows the persistence app to re-install the bogus battery monitor. Source: The Register