Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Encrypted, Obfuscated Malware Slips Into Google Play

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

Published by a developer going by the name of ValerySoftware, these malicious applications exhibited specific behavior, which include the ability to download APK files from external sources. Their main characteristic, however, was the presence of code encrypted and obfuscated at many levels, Intel’s security researchers say.

The researchers discovered six offending applications, each downloaded and installed up to 500 times at the time of the research, meaning that up to 3,000 users might have fallen victim to them. These malicious apps provided users with no features at all, but were created to generate revenue for their developer.

They could install other apps from Google Play without user interaction, could also display or silently access ads from multiple vendors of advertisement development kits, while also being able to leak sensitive information. Moreover, researchers say that the malware, which is detected as Android/Agent.FL, could receive commands to open and close applications and to install and uninstall applications.

This Android Trojan was pretending to be a game patch, yet it was designed only as a WebView function able to locally load HTML resources after requesting device admin privileges. Hidden from the user eyes, however, the malware would load and decrypt multiple .dex files to start its malicious activities. Because it gained admin privileges, the malware could prevent uninstallation.

“The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files,” Intel’s researchers say.

Anti-emulation techniques were also found inside the malicious code, to prevent automated dynamic test environments from detecting the threat’s abnormal behavior. The .dex files also included encoded web resources such as png images, JavaScript, and HTML code. These resources, which could be observed only after decrypting a third .dex file, are related to banners and ads that the malicious apps would display.

The malware’s author appears to be related to “a group of known cybercriminals in Europe who host and distribute malware,” Intel’s researchers say. They also explain that the malware creators built Trojanized apps using the Android Robo Templates framework, in an attempt to gain revenue from multiple ad libraries that are injected in the payload .dex.

Advertisement. Scroll to continue reading.

Google is performing over 400 million Android security scans daily and also has an application vetting system in place for the Google Play store, but malicious programs still manage to slip through. Earlier this month, a Trojan was said to have been downloaded 2.8 million times via Google Play, while last month, eight fake applications were revealed to have gathered nearly 1 million downloads based on empty promises.

Related: Android App Stole User Photos for Over a Year

Related: Malicious Pokémon GO Apps Land in Google Play

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.