Remote Malware on Google Play

Thursday, July 12, 2012 @ 04:07 PM gHale


There is new malware masquerading as two apps on Google Play claiming up to 100,000 victims before security experts removed the Trojan.

“Super Mario Bros.” and “GTA 3 Moscow City” racked up 50,000 to 100,000 downloads after they posted June 24 on Google Play, said researchers at Symantec.

RELATED STORIES
Trojan Forces Printers to Run Amuck
Malware Forces Unwanted Printing
Contest Focuses on Security Exploit
Cisco Closes Multiple Holes

“What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered,” Symantec’s Irfan Asrar wrote in a blog. “Our suspicion is that this was probably due to the remote payload employed by this Trojan.”

Asrar last year wrote about this evasion-driven technique, in which the payload breaks into separate modules and delivers independently, making it easier to hide and inject in other apps. In the case of this malware, called Android.Dropdialer, the first stage posted on Google Play. Once installed, it downloaded an additional package via Dropbox called Activator.apk that sends SMS messages to a premium-rate number tied to Eastern Europe.

“An interesting feature of the secondary payload is it prompts to uninstall itself after sending out the premium SMS messages — an obvious attempt at hiding the true intent of the malicious app,” Asrar said.

Android Security immediately revoked the threat after they notification, Asrar said.



Leave a Reply

You must be logged in to post a comment.