Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Encrypted, Obfuscated Malware Slips Into Google Play

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

Published by a developer going by the name of ValerySoftware, these malicious applications exhibited specific behavior, which include the ability to download APK files from external sources. Their main characteristic, however, was the presence of code encrypted and obfuscated at many levels, Intel’s security researchers say.

The researchers discovered six offending applications, each downloaded and installed up to 500 times at the time of the research, meaning that up to 3,000 users might have fallen victim to them. These malicious apps provided users with no features at all, but were created to generate revenue for their developer.

They could install other apps from Google Play without user interaction, could also display or silently access ads from multiple vendors of advertisement development kits, while also being able to leak sensitive information. Moreover, researchers say that the malware, which is detected as Android/Agent.FL, could receive commands to open and close applications and to install and uninstall applications.

This Android Trojan was pretending to be a game patch, yet it was designed only as a WebView function able to locally load HTML resources after requesting device admin privileges. Hidden from the user eyes, however, the malware would load and decrypt multiple .dex files to start its malicious activities. Because it gained admin privileges, the malware could prevent uninstallation.

“The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files,” Intel’s researchers say.

Anti-emulation techniques were also found inside the malicious code, to prevent automated dynamic test environments from detecting the threat’s abnormal behavior. The .dex files also included encoded web resources such as png images, JavaScript, and HTML code. These resources, which could be observed only after decrypting a third .dex file, are related to banners and ads that the malicious apps would display.

The malware’s author appears to be related to “a group of known cybercriminals in Europe who host and distribute malware,” Intel’s researchers say. They also explain that the malware creators built Trojanized apps using the Android Robo Templates framework, in an attempt to gain revenue from multiple ad libraries that are injected in the payload .dex.

Google is performing over 400 million Android security scans daily and also has an application vetting system in place for the Google Play store, but malicious programs still manage to slip through. Earlier this month, a Trojan was said to have been downloaded 2.8 million times via Google Play, while last month, eight fake applications were revealed to have gathered nearly 1 million downloads based on empty promises.

Related: Android App Stole User Photos for Over a Year

Related: Malicious Pokémon GO Apps Land in Google Play

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...