Google’s official Android store, Google Play was recently found to have some more malware hosted; a discovery that demonstrates the limits of the recently deployed scanning service that scours Google Play for malicious smartphone apps. The trojan - Android.Dropdialer, which racks up expensive charges from forced phonecalls to premium numbers, was found in two separate apps that weren’t identified for weeks, reports a blog post on the Symantec website by Irfan Asrar, a researcher with the antivirus provider.
The apps “GTA 3 Moscow City” and “Super Mario Bros.” were carrying the trojan and generated as many as 10,000 downloads, though Asrar didn’t mention if that figure was for separate titles or in total. "What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Asrar wrote. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."
Et tu Mario?
Asrar had discussed malware deploying from a remote payload in a blog post last year where the author of the app would break it into separate staged payloads in order to avoid being detected during the automated QA screening process of the Play Store. “In the case of Android.Dropdialer, the first stage was posted on Google Play. Once installed, it would download an additional package hosted on Dropbox called ‘Activator.apk’.” he wrote.
Activator.apk sends SMS messages to a premium-rate number. It is interesting to note that the package attempts to uninstall itself after sending out the messages an obvious attempt to hide the true intent of the malicious app.
Another example of multiple payload malware is a variant of Android.Lightdd discovered last year, which runs a background process called “Game Services”. It attempts to connect to some domains and is responsible for reconnaissance and information gathering, such as phone model, language, country, IMEI, OS, etc. on the compromised device, and then continues to download additional payloads. The major obstacle for Android.Lightdd is that it requires the user to accept the installation of the app it has infected. However, another discovered threat, Android.Jsmshider, has found a way to overcome this obstacle.
Asrar mentions in his old blog post about multiple payload malware, “By signing the payload with an Android Open Source Project (AOSP) certificate, the threat was capable of performing further downloads without any interactions or prompts, as the underlying device considered the payload to be a system update by virtue of the accompanying certificate. At this point, however, this deception only works for custom modifications.”
Android Security immediately removed the infected apps, “Super Mario Bros.” and “GTA 3 Moscow City”, from Google Play after Symantec notified them of the threat.
Published Date: Jul 11, 2012 02:13 pm | Updated Date: Jul 11, 2012 02:13 pm