The malicious 'Godless' exploit found in a few Google Play apps sounds scary, but that's about it

Security firm TrendMicro this week detailed (opens in new tab) "a family of mobile malware called Godless" that it says contained exploits that potentially could root a phone without a user's knowledge. That in and of itself would be bad, opening your phone up to all sorts of nonsense.

And it sounds scary as hell, if you read Trend Micro's blog.

Here's the lede:

We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets. By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90% of Android devices run on affected versions. Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.

You can pretty much stop there if you want, and go about your day. But just for fun, let's break down that first graf.

  • This "Godless" malware can target "virtually any device running on Android 5.1 or earlier." OK, that's 89.9 percent of all devices on Google Play. That number will continue to drop as more devices get Marshmallow, however.
  • And just because you're on a pre-Marshmallow device doesn't mean there aren't other checks in place to keep your phone safe from this sort of thing. Extrapolating the percentage of exploited devices from the percentage on Lollipop and below is one hell of a leap — and wrong.
  • Google's "Verify Apps" feature works to pick up sideloaded potentially harmful apps (you can read more on that in this PDF), and we need to remember about monthly security updates that don't trigger a new version.
  • "Malicious apps related to this threat can be found in prominent app stores, including Google Play." OK, which other ones? And how many apps in each? Why only name-drop Google Play, in that case? Is it a high percentage? Low percentage? (More on that in a second.) Update: Trend Micro does have a list, but you'll need to download a .pdf file to look at it because it wasn't in their blog post. Here it is{.nofollow}.
  • "... and has affected over 850,000 devices worldwide." Well, that's no good. But that's also very conservatively one-one-thousandth of all Android devices out there. (The actual percentage is almost certainly lower than that — I'd say more like 0.0006 percent. I'd say math fail because 850,000 of 1.4 billion is 0.06% )

Keep reading, though, and the Godless worry drops even further.

  • TrendMicro has a chart showing the global distribution of affected devices. India leads things at 46 percent. Indonesia is the next highest at 10 percent. The United States? 1.51 percent. So something like 400,000 devices affected in India. And 12,000 in the U.S. Context, ya know?
  • There's only one app in Google Play actually listed in the TM blog — "Summer Flashlight," from Crazy Wifi Team. That app (opens in new tab) — and indeed the developer itself (opens in new tab) — is no longer listed in Google Play. So since we're all playing fast and loose with assumptions here, let's just assume Google's gotten all of the offending apps out of the way.
  • Update: After looking through the open-source framework that is being used in Godless, we found that only 200 models out of the 14,000-plus Android devices are being targeted and that the Android 5.1.1 incremental update patched the exploits being used, as did the September 2015 security patch.

To be clear, malicious apps are not good. And apps that can help root your phone aren't inherently malicious, even though they're not allowed in Google Play. And it's good that companies are working with Google to help identify apps that manage to slip through the cracks. But there are multiple parts at work here, with multiple layers of security. And context is very important.

Don't sideload apps from sources you don't explicitly trust. Stick to app stores like Google Play and Amazon if you want. Don't click on links in text messages from people you don't know. If something feels wrong, it probably is.

And don't worry too much about Godless. You're probably OK.

Phil Nickinson
  • I questiom your comment about monthly security updates. How many devices that are 5.1 or earlier actually even get monthly updates? I would guess it's an extremely low number, but maybe I'm wrong.
  • Didn't say it was a big number. But it's another layer of the multi-layer security.
  • Hey Phil what about us that are already rooted do we run a greater threat with this particular godless and sideloading tactic? Posted via the Android Central App
  • Been a long time since I've rooted, but shouldn't SU still trigger? Posted via the Android Central App
  • Just wanted some clarification if SU would trigger.
    As always thank you. Posted via the Android Central App
  • Been getting them lately on my AT&T Galaxy S5. Has 5.1.1 Posted via the Android Central App
  • My AT&T Note 4 is on the June update. Posted from someone's Note 4
  • I feel like I just re-read the comment sections of a few other Android blogs I follow, because some of the statistics and quotes of this article seem to be copied verbatim from user comments of the past couple of days...
  • Common sense in comments? Whodathunkit? Posted via the Android Central App
  • Sounds weird to me. I know *I* never post any common sense here. Posted via the Android Central App
  • I didn't know that's how Americans spelt graf. Learn something new every day. Good article. Posted via the Android Central App
  • Heh. It's not. Old journalism shorthand habit. Posted via the Android Central App
  • *graph
  • More fanboyism masquerading's journalism . Phil when is something actually a security risk in your eyes. I would say malware on the Google app store classifies. If there is one phone affected then its one too many .
  • Let me try to explain it another way then: Everything is a security risk. Show me an app store with a zero percent chance of something malicious creeping in — or having ever crept in — and I'll show you an empty app store. It's unrealistic. Show me a communications device with a zero percent chance of ever being listened in on, and I'll show you a single tin can without a string. One phone being affected IS too many. But it's also not at all realistic. That's something anyone involved in any step of this process knows and understands. So you mitigate. You try to limit the ways malicious apps can happen. You try to limit the ways they can escape detection. You try to limit the damage they can do if they DO sneak in. That's what Google (and Apple, and Microsoft, and ...) does. That's why there are so many layers of mitigation. (In fact, I like that far better than saying "protection.") Exploits, by definition, ARE serious. Some are more serious than others. And then there's theoretical exploits vs. practical exploits. But time and time again we see these security companies doing a good thing badly, by ignoring context and, oh by the way, you should buy their product if you REALLY want to be secure. ... That's nonsense, and it does a disservice to all the unsung people who actually DO fight for our security every day. Ignoring context and going Chicken Little every time to the point that nobody cares? That's the real security risk.
  • I think a "Can and String" is susceptible to a man in the middle attack.
  • It would take 2 cans and a string, lol. One can and a string are perfectly safe.
  • Or two strings for redundancy!
  • What a perfect explanation Posted via the Android Central App
  • Most of these articles are FUD pushed by anti-malware companies and when Google actually comments or independent researchers weigh in, we find out they're actually nothing. And almost all blogs that just republish the "findings" without adding the context and laying it out like you did (well done) ignore the several LAYERS of security that Android devices use to protect users from this. Using Google Play Services and not buying the worst of the worst devices that will never see a security update (let alone a firmware update) are two good steps to not being in the 0.001% or less that are susceptible to these sorts of things - and the common sense "don't do stupid stuff" measures pretty much guarantee that if you don't try to get actual malware, you're not going to get it. Bad adware because you tried to get paid stuff for free? Yeah, probably. but malicious code that can take over your device or steal your info? You have to be really trying to get that on modern unrooted flagships that are being kept up to date by OEMs and are owned by users that have even the smallest part of common sense regarding security.
  • Phil is right people even apple has had security risks just as Google does. The issue is with some apps in the play store and Google has control over that. They can pull them or get it fixed. Posted via the Android Central App
  • If this thing can root my verizon s5, someone needs to release a safe version of it...
  • Lol Posted from my Nexus 6P.
  • Great article and appreciate giving those numbers some context. Maybe next podcast you could spend 5 minutes talking about the process of fixing something like this as I have always been curious. I am assuming monthly security patches are the "fix," but what temporary and immediate measures are there, like pulling the app, etc? And I do understand that most of these scenarios are rare where everything has to line up perfectly, but I am curious due to the amount of devices that will never see monthly security updates(thanks carriers). Posted via the Android Central App
  • Excellent idea! And monthly security patches are A fix. They're one more layer in all this.
  • I think that the number is .06%, if I followed your math correctly. Posted via the Android Central App
  • Yeah, was about to make the same comment. That's still *a lot of devices* - not to equate with other things, but people on the internet often use percentages to make actual things seem unimportant. Sure, it means your odds are low, but that's still a lot of devices.
  • Why do you equate a low risk with "seem unimportant"? Phil never said it was unimportant. "Seem unimportant" is your mischaracterization. The reality is the risk to an individual is actually low as indicated by the calculated percentage and not how you arbitrarily define "a lot"? It's all about context, context, context. Numbers are meaningless without context.
  • Good catch. I thought that looked odd. Posted via the Android Central App
  • Free root without the hassle of doing it myself and potentially bricking my device? How can I resist? Posted via the Android Central App
  • LOL good point
  • Word. :)
  • When apps with exploits end up in Google Play I look into what's happening a little more deeply because I do no trust companies like Trend Micro. If you look through the open-source tools that the Godless exploit relies on, you'll find three important things that Trend Micro either doesn't say or fails to explain : 1.) 200 models of Android devices are affected. There are over 14,000 models. 2.) The Android 5.1.1 update patches all devices against this exploit. 3.) The September 2015 security patch nullifies this exploit. I've added this to the post for the next person who sees more crap posted about Godless and searches for more information.
  • Is the list of 200 affected devices available anywhere?
  • If you go to the GitHub for the android-rooting-tools framework (it's linked in the post) and pull it you can build the supported device database then open it and read the record. I can save you a lot of frustration — it's the same framework KingoRoot uses. Any device supported by them is also affected here. Most of them in the database are ones I never heard of. The few listed that I did know have all been patched. If KingoRoot will root your phone (very few still work) this exploit applies.
  • Thanks Jerry! You're the man!
  • Whenever I hear about one of these TERRIBLE MALICIOUS VIRUS ON ANDROID in the news, I always come here to find out the real story. How likely is the risk? What do I possibly need to do, if anything?
  • "How likely is the risk?" If your phone is running Android 5.1.1 or later there is no chance of this affecting you. If your phone has an earlier version of Android with a security patch date of September 2015 or later there is no chance of this affecting you.
  • And don't worry too much about Godless. You're probably OK. lol, I am sorry, you guys say this about EVERY SINGLE THREAT TO ANDROID.
    pfffft. don't worry, only 90% of you even have a chance at this threat..... I would bet any amount of money if a Virus came out tomorrow that affected any android device at any time, AC would say it's not a big deal. Don't worry,... You're PROBABLY ok.... I still have a Note 2 on 4.4.2 Kitkat. it's Probably OK, right ?
  • No, you're probably susceptible since you don't get updates
  • How about all the tablets like my Samsung Tab Pro that have not updated past KitKat 4.4.2? I am beyond livid at Samsung for not updating these. Unfortunately I own 4. Should I root and update to Marshmallow? Posted via Android Central App
  • Sure. If you feel comfortable doing so and there is a rom for it that is fully patched. If you don't care about their useless warranties then root, replace and use the tablets. Why not.
  • My Galaxy Note 3 is on 5.0, but I have the November 2015 security patch. That's reassuring, I guess...? Also, the single BEST antivirus costs $0.00, works excellently offline, and is used by many, many people. It's called COMMON SENSE! Try it! This phone has the AC App.
  • Anyone that installs a flashlight app that needs permissions other than turning the led on or off deserves to be infected, stupidity prevails over basic common sense every time. Posted via the Android Central App
  • ... Which, to be fair is the camera permission. If it's a free one with ads, it'll also need the network connectivity permission. Anything else though, beware. Of course, to the non-techies like us, the permissions list is like the infamous EULA or Terms of Service agreement that many just click Accept on. Posted via the Android Central App
  • If I have a root management app installed, does it mean I'm safe? I mean, if Godless tries to obtain root access, it will show me an allow/deny prompt, right?
  • I have a question for anybody who knows a bit about developing an app that uses network permissions... Would it be feasible for Google to require developers to publish the website and/or ip address of the server the app is programmed to automatically connect to? When we see a network permission, we assume it's for ads and anonymous data analytics. In situations like the flashlight app, it was using a predefined url to download the rogue app update. If they listed the websites their apps are set to automatically connect to, it might help us determine if something looks fishy... Plus, I'm always curious about what apps are up to while they're running in the background using my precious limited data. Posted via the Android Central App
  • Good article, but doesn't change one IMPORTANT detail: If you run anything earlier than Android 5.1.1, you can get rooted not only from an app but also from a PLAIN WEBPAGE running javascript, because of the futex exploit, which only needs javascript to run. This means the majority of the Android install base is open to security exploits. That's really, really bad. Meanwhile, all Windows Phone 7 devices (or even my old Aspire One running Windows 7) get timely security patches and are secure. Don't bother blaming OEMs please, the Galaxy Nexus is just as vulnerable, even though it is a Nexus device (and btw is newer than my Asprire One netbook). Google has fumbled long-term security support.