Security Alert: New Android Malware—UpdtKiller—Removes Antivirus Software

NQ Mobile’s Security Research Center recently uncovered a new Android malware, which we’ve named UpdtKiller. UpdtKiller has the ability to:

  • Upload victims’ personal information and retrieve commands from a remote control and command (C&C) server.
  • Block antivirus software processes so that viruses can’t be detected.

According to our analysis, UpdtKiller is a bot-like malware, and is manipulated by a remote C&C server to send SMS messages, auto-reply with SMS messages, and block SMS messages that have certain words.

How It Works

UpdtKiller disguises itself as a legitimate application and silently hides in the user’s Android device. Once a device is infected, the malicious service shows up in the user’s device as UpdateService, which is commonly used by systems. This makes the malicious app appear to be harmless so users don’t suspect they have malware on their phones.

Here’s how it works:

  1. UpdtKiller receives the system’s bootup broadcast and starts to communicate with the system.
  2. Once this starts, UpdateService uploads personal information, such as IMEI, IMSI, and installed application lists, while also retrieving information from a remote C&C service.
  3. Once it analyzes the content from the server and obtains the information it needs, it can use this information to trigger a number of malicious acts.

Figure 1Figure 1 Invoke the malicious service


What Does It Do?

Our research team at NQ Mobile found that UpdtKiller has the ability to send SMS messages, which can be configured by a remote server. In addition, the remote C&C server can also send commands to control the device, allowing it to block SMS messages with certain words and send auto-reply SMS messages if it wants to.

Like many types of malware, UpdtKiller has various self-protection mechanisms. It misguides the user to activate device administrator so that the user can’t uninstall it in a common way. It also acquires the installed application list, locates certain antivirus software, analyzes their processes, and terminates them. This means that a user’s antivirus software will no longer be able to detect and block this malware.

Figure 2Figure 2 Lure the user to activate device administrator

Figure 3Figure 3 Code snippet of terminating antivirus software

Figure 4 A list of some antivirus software


Protect Yourself from UpdtKiller

NQ Mobile Security users are already fully protected from this and all other malware threats.  If you don’t have a powerful mobile security app on your phone, we recommend that you take the following precautions:

  • Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading.
  • Never accept application requests from unknown sources. Closely monitor permissions requested by any application; an application should not request permission to do more than what it offers in its official list of features.
  • Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device.
  • Download NQ Mobile Security for Android today.


One thought on “Security Alert: New Android Malware—UpdtKiller—Removes Antivirus Software

  1. Pingback: » UpdtKiller: nuovo Android malware disabilita i software antivirus ApiLabs di Anti-Phishing Italia – Sicurezza informatica, cyber crime e pagamenti on-line