Android Malware Found On Google Play
Symantec has identified a new malware posted to the official Google Play market. The malware has managed to generate 50,000 to 100,000 downloads of malicious apps before being identifies, the secutity company said.
The threats were posted as two popular titles, one as "Super Mario Bros." and the other was packaged as "GTA 3 Moscow City". Both were posted to Google Play on June 24.
"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Symantec said. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."
This is a technique whereby the author of a malicious app would break it up into separate, staged payloads in order to avoid detection of anomalies during the automated QA screening process. In the case of 'Android.Dropdialer' malware, the first stage was posted on Google Play. Once installed, it would download an additional package, hosted on Dropbox, called 'Activator.apk'.
This additional package sends SMS messages to a premium-rate number. An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages?an obvious attempt at hiding the true intent of the malicious app. The premium SMS is targeting Eastern Europe.
"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Symantec said. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."
This is a technique whereby the author of a malicious app would break it up into separate, staged payloads in order to avoid detection of anomalies during the automated QA screening process. In the case of 'Android.Dropdialer' malware, the first stage was posted on Google Play. Once installed, it would download an additional package, hosted on Dropbox, called 'Activator.apk'.
This additional package sends SMS messages to a premium-rate number. An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages?an obvious attempt at hiding the true intent of the malicious app. The premium SMS is targeting Eastern Europe.