Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Encrypted, Obfuscated Malware Slips Into Google Play

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

Published by a developer going by the name of ValerySoftware, these malicious applications exhibited specific behavior, which include the ability to download APK files from external sources. Their main characteristic, however, was the presence of code encrypted and obfuscated at many levels, Intel’s security researchers say.

The researchers discovered six offending applications, each downloaded and installed up to 500 times at the time of the research, meaning that up to 3,000 users might have fallen victim to them. These malicious apps provided users with no features at all, but were created to generate revenue for their developer.

They could install other apps from Google Play without user interaction, could also display or silently access ads from multiple vendors of advertisement development kits, while also being able to leak sensitive information. Moreover, researchers say that the malware, which is detected as Android/Agent.FL, could receive commands to open and close applications and to install and uninstall applications.

This Android Trojan was pretending to be a game patch, yet it was designed only as a WebView function able to locally load HTML resources after requesting device admin privileges. Hidden from the user eyes, however, the malware would load and decrypt multiple .dex files to start its malicious activities. Because it gained admin privileges, the malware could prevent uninstallation.

“The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files,” Intel’s researchers say.

Anti-emulation techniques were also found inside the malicious code, to prevent automated dynamic test environments from detecting the threat’s abnormal behavior. The .dex files also included encoded web resources such as png images, JavaScript, and HTML code. These resources, which could be observed only after decrypting a third .dex file, are related to banners and ads that the malicious apps would display.

The malware’s author appears to be related to “a group of known cybercriminals in Europe who host and distribute malware,” Intel’s researchers say. They also explain that the malware creators built Trojanized apps using the Android Robo Templates framework, in an attempt to gain revenue from multiple ad libraries that are injected in the payload .dex.

Advertisement. Scroll to continue reading.

Google is performing over 400 million Android security scans daily and also has an application vetting system in place for the Google Play store, but malicious programs still manage to slip through. Earlier this month, a Trojan was said to have been downloaded 2.8 million times via Google Play, while last month, eight fake applications were revealed to have gathered nearly 1 million downloads based on empty promises.

Related: Android App Stole User Photos for Over a Year

Related: Malicious Pokémon GO Apps Land in Google Play

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.