Connect with us

Hi, what are you looking for?


Malware & Threats

Encrypted, Obfuscated Malware Slips Into Google Play

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

Published by a developer going by the name of ValerySoftware, these malicious applications exhibited specific behavior, which include the ability to download APK files from external sources. Their main characteristic, however, was the presence of code encrypted and obfuscated at many levels, Intel’s security researchers say.

The researchers discovered six offending applications, each downloaded and installed up to 500 times at the time of the research, meaning that up to 3,000 users might have fallen victim to them. These malicious apps provided users with no features at all, but were created to generate revenue for their developer.

They could install other apps from Google Play without user interaction, could also display or silently access ads from multiple vendors of advertisement development kits, while also being able to leak sensitive information. Moreover, researchers say that the malware, which is detected as Android/Agent.FL, could receive commands to open and close applications and to install and uninstall applications.

This Android Trojan was pretending to be a game patch, yet it was designed only as a WebView function able to locally load HTML resources after requesting device admin privileges. Hidden from the user eyes, however, the malware would load and decrypt multiple .dex files to start its malicious activities. Because it gained admin privileges, the malware could prevent uninstallation.

“The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files,” Intel’s researchers say.

Anti-emulation techniques were also found inside the malicious code, to prevent automated dynamic test environments from detecting the threat’s abnormal behavior. The .dex files also included encoded web resources such as png images, JavaScript, and HTML code. These resources, which could be observed only after decrypting a third .dex file, are related to banners and ads that the malicious apps would display.

Advertisement. Scroll to continue reading.

The malware’s author appears to be related to “a group of known cybercriminals in Europe who host and distribute malware,” Intel’s researchers say. They also explain that the malware creators built Trojanized apps using the Android Robo Templates framework, in an attempt to gain revenue from multiple ad libraries that are injected in the payload .dex.

Google is performing over 400 million Android security scans daily and also has an application vetting system in place for the Google Play store, but malicious programs still manage to slip through. Earlier this month, a Trojan was said to have been downloaded 2.8 million times via Google Play, while last month, eight fake applications were revealed to have gathered nearly 1 million downloads based on empty promises.

Related: Android App Stole User Photos for Over a Year

Related: Malicious Pokémon GO Apps Land in Google Play

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...