Researchers at Cisco Talos have discovered a new Trojan that masquerades as the Google Play Store when it infects an Android device. Dubbed, ‘GPlayed’ the Trojan not only labels itself “Google Play Marketplace”, but also uses an icon that looks very similar to the Play Store icon. The researchers note that the Trojan is “extremely powerful” as it has the capability to “adapt after it is deployed”. It’s noted that it has the capability to remotely load plugins, inject scrips and even compile new .NET code to be executed.
“Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one,” the Cisco talos researchers warn in their blog post.
It was noted that the plugins can be added in runtime, or they can be added as a package resource at the time of packaging. As a result, the people behind the app can add to the capabilities of the app without the need to recompile and upgrade the trojan package on an infected device. “This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location,” the researchers noted.
When it activated, the GPlayed trojan starts executing a multitude of different tasks and will attempt to establish contact with its command and control server in order to register the device. This would include private information such as the phone’s model, IMEI number, phone number and country. Finally, the trojan will attempt to escalate and maintain privileges. This is done by requesting admin privileges on the device and asking the user to allow the trojan access to the device’s settings. The screen asking for the user’s approval will not close unless the user approves the privilege escalation. If the user does manage to close the window, the screen will pop up again a little while later.
Cisco Talos researchers say that the trojan seems to be in the final stages of testing and seems to be directed at Russian-speaking users. The researchers also note that these threats as becoming more common as companies try and deliver their software directly to users and puts at risk users who may not be able to distinguish between a real app and a fake app.