The malicious 'Godless' exploit found in a few Google Play apps sounds scary, but that's about it

Security firm TrendMicro this week detailed "a family of mobile malware called Godless" that it says contained exploits that potentially could root a phone without a user's knowledge. That in and of itself would be bad, opening your phone up to all sorts of nonsense.

And it sounds scary as hell, if you read Trend Micro's blog.

Here's the lede:

We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets. By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90% of Android devices run on affected versions. Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.

You can pretty much stop there if you want, and go about your day. But just for fun, let's break down that first graf.

  • This "Godless" malware can target "virtually any device running on Android 5.1 or earlier." OK, that's 89.9 percent of all devices on Google Play. That number will continue to drop as more devices get Marshmallow, however.
  • And just because you're on a pre-Marshmallow device doesn't mean there aren't other checks in place to keep your phone safe from this sort of thing. Extrapolating the percentage of exploited devices from the percentage on Lollipop and below is one hell of a leap — and wrong.
  • Google's "Verify Apps" feature works to pick up sideloaded potentially harmful apps (you can read more on that in this PDF), and we need to remember about monthly security updates that don't trigger a new version.
  • "Malicious apps related to this threat can be found in prominent app stores, including Google Play." OK, which other ones? And how many apps in each? Why only name-drop Google Play, in that case? Is it a high percentage? Low percentage? (More on that in a second.) Update: Trend Micro does have a list, but you'll need to download a .pdf file to look at it because it wasn't in their blog post. Here it is{.nofollow}.
  • "... and has affected over 850,000 devices worldwide." Well, that's no good. But that's also very conservatively one-one-thousandth of all Android devices out there. (The actual percentage is almost certainly lower than that — I'd say more like 0.0006 percent. I'd say math fail because 850,000 of 1.4 billion is 0.06% )

Keep reading, though, and the Godless worry drops even further.

  • TrendMicro has a chart showing the global distribution of affected devices. India leads things at 46 percent. Indonesia is the next highest at 10 percent. The United States? 1.51 percent. So something like 400,000 devices affected in India. And 12,000 in the U.S. Context, ya know?
  • There's only one app in Google Play actually listed in the TM blog — "Summer Flashlight," from Crazy Wifi Team. That app — and indeed the developer itself — is no longer listed in Google Play. So since we're all playing fast and loose with assumptions here, let's just assume Google's gotten all of the offending apps out of the way.
  • Update: After looking through the open-source framework that is being used in Godless, we found that only 200 models out of the 14,000-plus Android devices are being targeted and that the Android 5.1.1 incremental update patched the exploits being used, as did the September 2015 security patch.

To be clear, malicious apps are not good. And apps that can help root your phone aren't inherently malicious, even though they're not allowed in Google Play. And it's good that companies are working with Google to help identify apps that manage to slip through the cracks. But there are multiple parts at work here, with multiple layers of security. And context is very important.

Don't sideload apps from sources you don't explicitly trust. Stick to app stores like Google Play and Amazon if you want. Don't click on links in text messages from people you don't know. If something feels wrong, it probably is.

And don't worry too much about Godless. You're probably OK.

Phil Nickinson