Another day, another piece of malware lurking on Google Play, masquerading as a free and helpful app.
This time it’s called “Super Free Music Player” and is supposedly a “great song app for discovering and listening to trending music”, and contains “unlimited free songs from Soundcloud.”
The app has been pulled from the store quite recently, but it managed to amass between 5,000 and 10,000 downloads in a month.
The malware inside
Sophos researchers dubbed the malware hiding inside the app Axent-DS.
Axent-DS is capable of collecting device information (e.g. language, manufacturer, model, SDK version, list of installed apps, etc.) and send it to a remote server, as well as downloading additional malicious and/or unwanted payloads from remote websites.
So far, nothing unusual, but the interesting thing about this malware is its dropper component, which uses a number of techniques to bypass detection both by Google and security researchers.
Some of these techniques – time bombs, domain and/or IP mapping, dynamic code loading and reflection, multiple layers – were originally seen in 2015, when they were employed to deliver malware through a very popular Brain Test app (also found on Google Play).
Axent-DS uses dynamic code and reflection to load the payload method, and checks if it’s being run in an emulator or within TaintDroid, a popular Android research sandbox. If it is “satisfied” that it is being run on a regular device, it will wait eight hours before actually starting the malicious payload.
The offending app can no longer be downloaded from Google Play, but it pays to be careful when downloading other apps from the store.
The researchers didn’t mention Axent-DS having any of the persistence mechanisms of Brain Test, so it’s likely that users who installed it can uninstall it easily by going to their device’s Settings app, opening the Application manager (or Apps), choosing the app they want to uninstall, and tapping on the Uninstall button.