Dr. Web researchers have discovered over 60 Trojanized game apps being offered on Google Play through more than 30 different game developer accounts.
The games are made to look like other popular offerings but hide a Trojan (dubbed “Xiny”) that collects device information, shows unwanted ads, and can download additional malicious apps.
The offending developer accounts – Billapps, Conexagon Studio, Fun Color Games, and many more – are still up even though the researchers have notified Google about them.
It’s more than likely that these accounts have been opened by the same cybercriminal(s), as among the device information that the Trojan collects is the name of the app in which it has been “folded” into.
Other information collected by the Trojan and sent to the C&C server are the device’s IMEI and IMSI, MAC address, information about the mobile operator, OS version, selected country and language, information about whether or not a memory card is in the device, and whether the malicious app is located in the system folder.
The Trojan can receive orders from the C&C, so the cybercriminals can make it display ads, download potentially malicious apps and prompt the user to install them, installs and delete programs if root access is available on a device, and launch arbitrary APK (Android application package) files received from the C&C server.
“The way APK files are launched looks as follows: Android.Xiny.19.origin downloads a specially created image, which contains the corresponding file object hidden with the help of steganography, from the server. Then the Trojan retrieves the apk file using a special algorithm. After that, the malicious application loads the file into RAM of the infected device using the DexClassLoader class,” the researchers explained.
This unique approach was likely taken so that AV solutions would have a harder job detecting the malicious code, and so that malware analysts would perhaps overlook the delivered image.
Unfortunately, this is not the first nor it will likely be the last time that Trojanized apps are offered on Google Play. It’s always a good idea to try to find out more about the developer of the app and try to gauge whether he or she has a good reputation. If in doubt, seriously consider foregoing to install the app – no matter how bay you want to use it.