The McAfee Labs Mobile Malware Research team found early this week on Google Play a set of malware published by the developer account ValerySoftware:
Each one of these apps have been downloaded and installed up to 500 times, which means up to 3,000 devices could be infected by this threat.
Some characteristics of this malware:
- Encrypted and obfuscated at many levels
- Downloads APK files from external sources
- Tries to install apps from Google Play without user interaction
- Displays or silently accesses ads from multiple vendors of advertisement development kits
- Leaks sensitive information
- Receives commands to open and close applications
- Receives commands to install and uninstall applications
Negative user reviews on the market are likely caused by the fact that these malicious apps provide no features at all. This Trojan pretends to be a game patch but is only a WebView function that locally loads a couple of HTML resources after requesting device admin privileges—probably to avoid uninstallation after its disappointing execution:
In the background, however, the malware loads and decrypts multiple .dex files to start malicious activities that go unnoticed.
The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files.
For example, a JSON file that contains URLs of control servers is obfuscated in the decrypted .dex file that is dynamically loaded by the original .dex:
Based in the domain owner’s information in this malware, we can tie the authors to a group of known cybercriminals in Europe who host and distribute malware.
To pass unnoticed, the malware authors incorporated antiemulation techniques in the malicious code so the behavior could not be detected by automated dynamic test environments.
The authors have Trojanized apps created with the Android Robo Templates framework to gain revenue from multiple ad libraries that are injected in the payload .dex, denoted in the following configuration class:
From the main .dex file we can observe a downloader listener class that is ready to download APKs from a given URL. In the red boxes we see other injected classes from the malware:
Although Google has been successful in improving the policing of malicious apps, this threat is a reminder that malware can still be present even in official stores. Your first check before installing an app should be reviews by other users. Also check that permissions the app requests are related to its functionality, and review the developer profile to look for other apps. McAfee reminds you that if an app looks suspicious, you should not install it.