Encrypted, Obfuscated Malware Slips Into Google Play

A set of malicious applications that recently slipped into Google Play might have infected up to 3,000 devices to date, Intel security researchers have discovered.

Published by a developer going by the name of ValerySoftware, these malicious applications exhibited specific behavior, which include the ability to download APK files from external sources. Their main characteristic, however, was the presence of code encrypted and obfuscated at many levels, Intel’s security researchers say.

The researchers discovered six offending applications, each downloaded and installed up to 500 times at the time of the research, meaning that up to 3,000 users might have fallen victim to them. These malicious apps provided users with no features at all, but were created to generate revenue for their developer.

They could install other apps from Google Play without user interaction, could also display or silently access ads from multiple vendors of advertisement development kits, while also being able to leak sensitive information. Moreover, researchers say that the malware, which is detected as Android/Agent.FL, could receive commands to open and close applications and to install and uninstall applications.

This Android Trojan was pretending to be a game patch, yet it was designed only as a WebView function able to locally load HTML resources after requesting device admin privileges. Hidden from the user eyes, however, the malware would load and decrypt multiple .dex files to start its malicious activities. Because it gained admin privileges, the malware could prevent uninstallation.

“The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files,” Intel’s researchers say.

Anti-emulation techniques were also found inside the malicious code, to prevent automated dynamic test environments from detecting the threat’s abnormal behavior. The .dex files also included encoded web resources such as png images, JavaScript, and HTML code. These resources, which could be observed only after decrypting a third .dex file, are related to banners and ads that the malicious apps would display.

The malware’s author appears to be related to “a group of known cybercriminals in Europe who host and distribute malware,” Intel’s researchers say. They also explain that the malware creators built Trojanized apps using the Android Robo Templates framework, in an attempt to gain revenue from multiple ad libraries that are injected in the payload .dex.

Google is performing over 400 million Android security scans daily and also has an application vetting system in place for the Google Play store, but malicious programs still manage to slip through. Earlier this month, a Trojan was said to have been downloaded 2.8 million times via Google Play, while last month, eight fake applications were revealed to have gathered nearly 1 million downloads based on empty promises.

Related: Android App Stole User Photos for Over a Year

Related: Malicious Pokémon GO Apps Land in Google Play