{"id":82102,"date":"2017-11-14T14:53:28","date_gmt":"2017-11-14T22:53:28","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=82102"},"modified":"2025-05-27T21:27:45","modified_gmt":"2025-05-28T04:27:45","slug":"android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/","title":{"rendered":"New Android Malware Found in 144 GooglePlay Apps"},"content":{"rendered":"<p>McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos because we found this string in several elements of the code, including variable and method names. Grabos was initially found in the Android application \u201cAristotle Music audio player 2017,\u201d which claimed to be a free audio player on Google Play:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82122 size-medium\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png\" alt=\"\" width=\"296\" height=\"300\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png 296w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-494x500.png 494w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-32x32.png 32w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-50x50.png 50w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-64x64.png 64w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-96x96.png 96w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1.png 684w\" sizes=\"auto, (max-width: 296px) 100vw, 296px\" \/><\/a><\/p>\n<p><em>Figure 1. Trojanized music app in Google Play.<\/em><\/p>\n<p>At the time Aristotle Music was discovered, the application had a very good rating. According to Google Play, the application was installed between one and five million times and had a recent comment from a user saying that the application was detected as malware:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82123 size-medium\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-2-248x300.png\" alt=\"\" width=\"248\" height=\"300\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-2-248x300.png 248w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-2-414x500.png 414w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-2.png 584w\" sizes=\"auto, (max-width: 248px) 100vw, 248px\" \/><\/a><\/p>\n<p><em>Figure <\/em><em>2<\/em><em>. User reporting the application Aristotle Music being detected as malware.<\/em><\/p>\n<h2><strong>Grabos on Google Play<\/strong><\/h2>\n<p>McAfee Mobile Research notified Google about Grabos in September and confirmed that Google promptly removed the reported application. After further research, we found another 143 applications (see complete list at the end of this post); all have been removed from Google Play. Six were removed after we reported the first to Google:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82124 size-medium\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-3-300x159.png\" alt=\"\" width=\"300\" height=\"159\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-3-300x159.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-3-768x408.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-3.png 813w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><em>Figure 3. Additional Grabos Trojanized apps formerly on Google Play.<\/em><\/p>\n<p>At the time of writing this post, 34 applications still had their webpages available in cache, so we were able to obtain additional information such as the approximate number of installs, last updated date, and rating. Most of these apps were last updated in August and October. They had an average rating of 4.4, and between 4.2 million and 17.4 million users downloaded these apps from Google Play:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82125 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-4.png\" alt=\"\" width=\"900\" height=\"718\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-4.png 900w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-4-300x239.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-4-768x613.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-4-627x500.png 627w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p><em>Figure 4. Malicious apps details from Google Play.<\/em><\/p>\n<p>Grabos likely evaded Google Play security measures because the injected code is protected with a commercial obfuscator, making it very difficult to statically analyze without executing the application. Even dynamic analysis to stop its execution is difficult without knowing what the app is checking. However, once we unpacked the code, we proceeded with our analysis.<\/p>\n<h2><strong>\u201cFake\u201d vs. \u201creal\u201d apps<\/strong><\/h2>\n<p>We found Grabos injected in file explorer and music player applications, some of them open source. Every time that the app is opened, it checks if any of the following settings is <strong>not true<\/strong> to decide whether to launch the \u201cfake\u201d (legitimate functionality) or \u201creal\u201d (injected packed code) app:<\/p>\n<ul>\n<li>isOnline: Checks if the device has Internet connectivity<\/li>\n<li>getIsBlacklisted: Checks if the Android debug bridge (adb) and development settings are enabled or if the device is in an emulator. If the latter is the case, the device is blacklisted and the \u201cfake\u201d app is launched.<\/li>\n<li>getIsForcedBlacklisted: Flag set by the control server.<\/li>\n<\/ul>\n<p>The code also has a test mode that allows the execution of the \u201creal\u201d app in case it is running in an emulator or has adb and development settings enabled. These checks detect if the app is currently being dynamically analyzed and prevent the execution of the hidden code if necessary.<\/p>\n<p>In case the app is not being analyzed or is in test mode, the \u201creal\u201d app launches. This hidden music downloader searches for a specific song on YouTube. Once the song is selected, it can be downloaded in MP3 or MP4 format to be played offline.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82126 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5.png\" alt=\"\" width=\"1175\" height=\"846\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5.png 1175w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5-300x216.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5-768x553.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5-1024x737.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-5-694x500.png 694w\" sizes=\"auto, (max-width: 1175px) 100vw, 1175px\" \/><\/a><\/p>\n<p><em>Figure 5. &#8220;Fake&#8221; vs &#8220;real&#8221; app flow. \u201cBL\u201d stands for \u201cblacklisted.\u201d<\/em><\/p>\n<p>At this point, the application seems to be just a music downloader hidden in a Trojanized app that checks for dynamic analysis to avoid being removed from Google Play due to its downloading of copyrighted music. In the background, however, more is happening.<\/p>\n<h3><strong>Communicating with the Control Server<\/strong><\/h3>\n<p>In addition to the \u201cfake\u201d and \u201creal\u201d app functionality, Grabos is also present in the AndroidManifest as a receiver that executes every time there is a connectivity change or when the app is installed:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82127 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-6.png\" alt=\"\" width=\"571\" height=\"104\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-6.png 571w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-6-300x55.png 300w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\" \/><\/a><\/p>\n<p><em>Figure 6. Grabos receiver in the AndroidManifest.<\/em><\/p>\n<p>If the receiver is executed due to a connectivity change, the execution ends if the device is offline or if fewer than five seconds have passed since the last connection. If more than five seconds have already passed, the method \u201cupdateRemoteSettingsSynchronousTask\u201d executes. This method collects and encrypts (Base64 plus Advanced Encryption Standard) the following data from the infected device:<\/p>\n<ul>\n<li>Device information:\n<ul>\n<li>android_version<\/li>\n<li>build_model<\/li>\n<li>install_referrer<\/li>\n<li>network_country<\/li>\n<li>sim_country<\/li>\n<li>carrier_name<\/li>\n<li>language_code<\/li>\n<li>country_code<\/li>\n<li>time_timezone<\/li>\n<\/ul>\n<\/li>\n<li>Device location: Grabos uses free IP geolocation API services to obtain IP address information such as city, country code, ISP, organization, region, and ZIP code.<\/li>\n<li>Device configuration:\n<ul>\n<li>is_emulator<\/li>\n<li>is_rooted<\/li>\n<li>is_adb_enabled<\/li>\n<li>is_dev_settings_enabled<\/li>\n<li>allow_mock_location<\/li>\n<li>allow_non_market (unknown sources enabled\/disabled)<\/li>\n<li>is_vpn_connected<\/li>\n<li>dp checks (additional root, debug, and emulator checks provided by the commercial obfuscator)<\/li>\n<\/ul>\n<\/li>\n<li>Installed Grabos app information: version_code, package_name, and install_time<\/li>\n<li>Specific apps installed: Grabos reports if any app in a predefined list is currently installed on the infected device (more on this later).<\/li>\n<\/ul>\n<p>All the information is encrypted and submitted to a control server. The remote server responds with encrypted data that contains parameters required to download music (URLs, API keys, user agents, client_id, etc.) to show advertainments (nativead_id, interstitial_id, banner_id, etc.) and display customized notifications such as asking the user to rate the app in Google Play:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82128 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-7.png\" alt=\"\" width=\"909\" height=\"127\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-7.png 909w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-7-300x42.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-7-768x107.png 768w\" sizes=\"auto, (max-width: 909px) 100vw, 909px\" \/><\/a><\/p>\n<p><em>Figure 7. \u201cRate this app\u201d parameters provided by the control server.<\/em><\/p>\n<p>The rating pop-up appears the first time the app is opened. If the button \u201cRate 5 Stars\u201d is clicked, the app opens in Google Play so the user can rate the app there.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82129 size-medium\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-8-169x300.png\" alt=\"\" width=\"169\" height=\"300\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-8-169x300.png 169w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-8-281x500.png 281w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-8.png 407w\" sizes=\"auto, (max-width: 169px) 100vw, 169px\" \/><\/a><\/p>\n<p><em>Figure 8. Rating pop-up.<\/em><\/p>\n<p>In a similar way, the remote server also provides parameters to ask the user to share the app with friends and promising faster download speeds:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82130 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-9.png\" alt=\"\" width=\"817\" height=\"176\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-9.png 817w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-9-300x65.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-9-768x165.png 768w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><\/a><\/p>\n<p><em>Figure 9. \u201cShare the app\u201d parameters provided by the control server.<\/em><\/p>\n<p>The control server also sends the parameter \u201cis_forced_blacklisted,\u201d which manually blacklists the device if the value is \u201ctrue\u201d\u2014to prevent the execution of the hidden app.<\/p>\n<h2><strong>Mysterious functionality<\/strong><\/h2>\n<p>In addition to reporting an infected device\u2019s location and configuration, Grabos checks if specific social and Google apps are installed using the method isPackageInstalled and the app package name. Depending whether an app is currently installed, the corresponding value is set to true or false and that information is encrypted and reported to the control server:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82131 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-10.png\" alt=\"\" width=\"340\" height=\"252\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-10.png 340w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-10-300x222.png 300w\" sizes=\"auto, (max-width: 340px) 100vw, 340px\" \/><\/a><\/p>\n<p><em>Figure 10. Social and Google apps reported to the control server.<\/em><\/p>\n<p>We reported this finding to Google, who are investigating. At this point we do not know the purpose of this app reporting. However, we believe this information could be very useful to malware authors because Grabos has implemented several mechanisms to trick users into installing applications provided by the remote server. Let\u2019s look into those functions.<\/p>\n<h2><strong>Custom Push Notifications and Additional Apps<\/strong><\/h2>\n<p>After the initial settings are obtained from the remote server, the AsyncTask ShowNotificationIfNeeded is executed to check if the parameters n_title, n_description, and n_package were provided by the control server. If that is the case, Grabos checks if the app is available on Google Play (if \u201cpack\u201d is a name and not a URL) or on a remote server (if \u201cpack\u201d starts with HTTP).<\/p>\n<p>If the application is not installed and is available, Grabos gathers additional parameters (for example, icon and bigicon) from the remote server response to create a custom notification and trick the user into installing the app:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82132 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-11.png\" alt=\"\" width=\"932\" height=\"256\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-11.png 932w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-11-300x82.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-11-768x211.png 768w\" sizes=\"auto, (max-width: 932px) 100vw, 932px\" \/><\/a><\/p>\n<p><em>Figure 11. Parameters provided by the control server to create a custom notification.<\/em><\/p>\n<p>Grabos also checks if the remote server provided the following parameters:<\/p>\n<ul>\n<li>interstitial_letang_options: provides values to delay and repeat the display of an activity (initial_delay and min_interval)<\/li>\n<li>interstitial_letang: includes the following remote commands:\n<ul>\n<li>admob: executes method \u201cshowAdmobInterstitial\u201d<\/li>\n<li>nothing<\/li>\n<li>grabos_direct<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If the command is grabos_direct, Grabos gets the title, package, and max_times_shown values in the parameter grabos_direct_interstitial to open the app in Google Play or trigger a download:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82133 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-12.png\" alt=\"\" width=\"557\" height=\"409\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-12.png 557w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-12-300x220.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/a><\/p>\n<p><em>Figure 12. Downloading an APK from a URL or open app on Google Play.<\/em><\/p>\n<p>Both the notification and the interstitial_letang methods, to trick the user into downloading or installing apps, are executed in the background every time there is a connectivity change. However, Grabos also implements another app delivery method when the music downloader executes. This method, ShowGrabosIfNeeded, is very similar to interstitial_letang in that it checks if the required parameters are present and the app is available as well as checking if the app should be opened without the user\u2019s consent:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82134 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-13.png\" alt=\"\" width=\"935\" height=\"126\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-13.png 935w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-13-300x40.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-13-768x103.png 768w\" sizes=\"auto, (max-width: 935px) 100vw, 935px\" \/><\/a><\/p>\n<p><em>Figure 13. Grabos checking whether the installed app should be opened.<\/em><\/p>\n<p>As soon as Grabos confirms that the device is online, the app is available either on Google Play or a remote server, and the package is not installed, the malware gets the following parameters from the remote server response to create an AlertDialog and trick the user into downloading another app:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82135 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-14.png\" alt=\"\" width=\"766\" height=\"306\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-14.png 766w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-14-300x120.png 300w\" sizes=\"auto, (max-width: 766px) 100vw, 766px\" \/><\/a><\/p>\n<p><em>Figure 14. Grabos parameters to create an AlertDialog.<\/em><\/p>\n<h2><strong>Flying Under the Radar: Evading Analysis<\/strong><\/h2>\n<p>In addition to the multiple efforts to detect if the app is being dynamically analyzed (emulator, adb, development settings) and the encryption of the injected code, Grabos updates its remote settings every 24 hours (unless it is in test mode). This restriction can be easily bypassed by changing the date and time of the device used to analyze the app. However, recent versions of Grabos include checks to detect if the automatic date and time and time zone are enabled:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82136 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-15.png\" alt=\"\" width=\"731\" height=\"461\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-15.png 731w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-15-300x189.png 300w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><\/a><\/p>\n<p><em>Figure 15. Grabos checks if automatic date and time and time zone are enabled.<\/em><\/p>\n<p>The status of this setting is reported to the control server in the fields time_is_auto and time_timezone_is_auto. Although this check is not used in the Grabos code, the information could be used to determine if the app is being dynamically analyzed and decide if an additional payload should be delivered.<\/p>\n<p>The URLs used as control servers indicate that Grabos tries to masquerade its network traffic as legitimate. At first sight the URLs appear to belong to familiar adware companies; the names are identical. However, instead of finishing with .com, Grabos uses domains such as .link and .click, which are not registered by the company.<\/p>\n<p>Finally, Grabos defines an additional mechanism, currently not implemented, to blacklist or whitelist a specific device. For example, the device could be blacklisted or whitelisted in a future version depending on the country code or configured language of the infected device:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82137 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-16.png\" alt=\"\" width=\"436\" height=\"76\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-16.png 436w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-16-300x52.png 300w\" sizes=\"auto, (max-width: 436px) 100vw, 436px\" \/><\/a><\/p>\n<p><em>Figure 16. Blacklist and whitelist functions based on language and country code.<\/em><\/p>\n<p>Grabos also defines (but does not implement) methods to blacklist a device based on IP address:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-82139 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-17.png\" alt=\"\" width=\"576\" height=\"124\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-17.png 576w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-17-300x65.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/a><\/p>\n<p><em>Figure 17. Blacklist functions based on IP address information.<\/em><\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>During our analysis of this threat, the control servers always provided empty parameters for the custom notifications to trick users into installing applications. Taking into account the functionality to display ads and the high number of downloads, we believe the main purpose of Grabos is to make money by promoting the installation of apps.<\/p>\n<p>Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app. However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to download and install additional apps and open them without their consent.<\/p>\n<p>Considering that Grabos also reports the presence of specific social and Google apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code. Although during our analysis the remote servers did not deliver the required parameters to trigger custom notifications, the devices remain exposed to the download of additional Android apps.<\/p>\n<p><a href=\"https:\/\/www.mcafeemobilesecurity.com\/\" target=\"_blank\" rel=\"noopener\">McAfee Mobile Security<\/a> detects this threat as Android\/Grabos. To protect yourselves from threats like this on Google Play, employ security software on your mobile devices, check user reviews, and avoid installing suspicious apps with screenshots or functionality that do not correspond to the name of the app.<\/p>\n<p><em>We would like to thank Sebastian Porst and Jason Woloz from Google\u2019s Android Security for their helpful contributions on this research.<\/em><\/p>\n<h2><strong>List of Grabos Package Names<\/strong><\/h2>\n<ul>\n<li>com.picklieapps.player<\/li>\n<li>com.musicaplayer.stonetemples<\/li>\n<li>com.mp3musicplayer.playmusicmp3<\/li>\n<li>com.densebutter.musicplayer<\/li>\n<li>com.airplaneapps.soundmeter<\/li>\n<li>com.dinosaursr.musicplayer<\/li>\n<li>com.tenuousllc.humneate<\/li>\n<li>com.astropie.musicplayer<\/li>\n<li>info.chargeshoes.videoplayer<\/li>\n<li>com.callsaver.doubtful<\/li>\n<li>com.unfestenedsail.freeapp<\/li>\n<li>com.extendmilk.freeplayer<\/li>\n<li>com.excellentlossapps.playermusic<\/li>\n<li>com.AliciaTech.free<\/li>\n<li>com.mp3player.musicplayer.freelocalmusicplayer<\/li>\n<li>com.freemusicplayer.freemusicplayer.free<\/li>\n<li>com.afromusicplayer.fremediaplayer<\/li>\n<li>com.info_astro.glider_player<\/li>\n<li>com.illfatednotice.humdrum<\/li>\n<li>com.headybowl.musicplayer<\/li>\n<li>com.musicgratisplayerfree.free<\/li>\n<li>com.naturityllc.mp3player<\/li>\n<li>info.anothertube.music.player<\/li>\n<li>com.startdancingapps.callrecorder<\/li>\n<li>com.social.video.saver.pro<\/li>\n<li>es.gratis.video.downloader.hd<\/li>\n<li>com.sportingapps.copyleft_music.player<\/li>\n<li>com.auto_call_recorder.freeapp<\/li>\n<li>com.freenewsreader.rssfeed<\/li>\n<li>ar.music.video.player<\/li>\n<li>com.curatorinc.ringtone.search<\/li>\n<li>com.mp3musicplayer.local_files_player<\/li>\n<li>com.copyleft.stream.musica.player<\/li>\n<li>info_de.mp3.music.player<\/li>\n<li>com.nobodybeats.musicplayer<\/li>\n<li>com.file.manager.pronessbest<\/li>\n<li>info.ark.music.mp3.player<\/li>\n<li>com.air.browser.free<\/li>\n<li>com.aneeoboapps.playlistmanager<\/li>\n<li>com.local_music_player.free_mp3_player<\/li>\n<li>com.greenlinellc.voicechanger<\/li>\n<li>com.free.playlist.creator.tube<\/li>\n<li>com.toporganizer.fileorganizer<\/li>\n<li>com.thumb.webbrowse<\/li>\n<li>com.aspirator.ringtones.player<\/li>\n<li>com.freevideoplayer.musicplayer<\/li>\n<li>com.vimfast.videodl<\/li>\n<li>com.whimsical.piano.free<\/li>\n<li>com.truckneat.freeapp<\/li>\n<li>com.crowdedarmy.volume.controller<\/li>\n<li>com.arnold_legal.mp3.musica<\/li>\n<li>com.descent.shutterfly<\/li>\n<li>com.thankyou.arrowplayer<\/li>\n<li>com.pocahantasapps.musicplayer<\/li>\n<li>com.astroplayer.freee<\/li>\n<li>com.couchpotato.musica.play_stream<\/li>\n<li>com.abstractly.musica.player<\/li>\n<li>com.matsumoto.mp3player<\/li>\n<li>com.musicequalizer.freeequalizer<\/li>\n<li>com.lifesbad.fileexplorer<\/li>\n<li>com.videolunch.free<\/li>\n<li>legal.copyleft.cc.mp3.music<\/li>\n<li>com.ark.music.mp3.player<\/li>\n<li>info.musik.mp3.music<\/li>\n<li>com.streamerplayer.stream_videos<\/li>\n<li>info.voicerecorder.recordvoice<\/li>\n<li>com.snip.browser<\/li>\n<li>com.checkrein.musicapp<\/li>\n<li>com.mp3musicplayer.freemusicplayer.playmusic<\/li>\n<li>com.jadedprogram.mp3player<\/li>\n<li>com.preoral.freeborn<\/li>\n<li>com.voice.changer.freeappsapp<\/li>\n<li>es.streamplay.stream.player<\/li>\n<li>com.localmp3music.freeplayer<\/li>\n<li>com.drummachine.machinedrums<\/li>\n<li>com.coloringbook.freetrynow<\/li>\n<li>com.videodownloader.social_video_download<\/li>\n<li>com.ElephantApps.FileManager<\/li>\n<li>com.scaricare.app.musica<\/li>\n<li>com.quicksearch.tube.player<\/li>\n<li>com.rooseveltisland.mp3player<\/li>\n<li>com.mindprogram.musicf<\/li>\n<li>com.freeborn.sdkintegration<\/li>\n<li>com.koseapps.tubemusica<\/li>\n<li>fr.baixar.videos.gratis<\/li>\n<li>info.adeptly.forgoneapp<\/li>\n<li>us.musicas.gratis.player<\/li>\n<li>com.miniaturef.swanky<\/li>\n<li>com.insta.mp3.music.streamer<\/li>\n<li>com.anchor.musicplayer<\/li>\n<li>com.repeate.mp3musicplayer<\/li>\n<li>com.FeisalLLC.MusicPlayer<\/li>\n<li>com.shelfshare.freeapp<\/li>\n<li>info.simple.streamer.player<\/li>\n<li>com.streamplayer.freearnold<\/li>\n<li>com.freeturkish.video.downloader<\/li>\n<li>com.cowherd.freeapp<\/li>\n<li>com.localmp3musicplayer.local_player<\/li>\n<li>com.scaricare.apps.musica<\/li>\n<li>com.silymove.freeapp<\/li>\n<li>com.pinkphone.funfreetube<\/li>\n<li>info.tissuepaper.freemusic<\/li>\n<li>com.chopsuey.musicplayer<\/li>\n<li>com.branchnotice.musicplayer<\/li>\n<li>com.fradcip.MasterApp<\/li>\n<li>sv.music.player.mp3.ares<\/li>\n<li>com.social.video.downloader.for_fb<\/li>\n<li>com.frobenius.time.tube<\/li>\n<li>com.spelldoom.comeup<\/li>\n<li>com.bailymusic.player<\/li>\n<li>com.sportifco.musicplayer<\/li>\n<li>com.topsaver.video.downloader<\/li>\n<li>com.coupleweeks.modcium<\/li>\n<li>com.unbecomingllc.videodownloader<\/li>\n<li>com.video.for_fb.downloader.saver<\/li>\n<li>com.macdrop.apptool<\/li>\n<li>com.callsaver.recorderfreeapp<\/li>\n<li>com.arnie_legal.mp3.musica<\/li>\n<li>com.kikiapps.freeplayer<\/li>\n<li>com.pintaapps.expensetracker<\/li>\n<li>com.marble.musicequalizer<\/li>\n<li>com.artproject.searcher<\/li>\n<li>com.UnitTest.FreeApp<\/li>\n<li>com.exudedplayer.freemusicplayer<\/li>\n<li>com.blackballed.player<\/li>\n<li>com.mp3player.decisiveapps<\/li>\n<li>com.rusticd.musicplayer<\/li>\n<li>com.byunhyeong.jungfree<\/li>\n<li>com.voicelessapps.mp3musicplayer<\/li>\n<li>com.localmp3player.freeplayer<\/li>\n<li>com.kinokunya.free<\/li>\n<li>com.socialvideo.downloader_vim<\/li>\n<li>com.viastore.video.saver_for_fb<\/li>\n<li>com.disarmbit.reache<\/li>\n<li>com.crackerbalancellc.mp3converter<\/li>\n<li>info.vaskollc.jpfree<\/li>\n<li>com.freemusicplayer.musicplayfreetoolpalyer<\/li>\n<li>com.combustionapps.musique<\/li>\n<li>com.arnold.mp3.musica<\/li>\n<li>com.purpleheadphones.audioplayer<\/li>\n<li>com.unscalableapps.free<\/li>\n<li>com.freefile.organizerfree<\/li>\n<li>com.free.mp3.stream_cc_music<\/li>\n<li>com.mp3uncle.musiccamera<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this&#8230;<\/p>\n","protected":false},"author":462,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,180,214],"coauthors":[1104],"class_list":["post-82102","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-malware","tag-mobile-security1"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Android Malware Found in 144 GooglePlay Apps<\/title>\n<meta name=\"description\" content=\"McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Android Malware Found in 144 GooglePlay Apps\" \/>\n<meta property=\"og:description\" content=\"McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-14T22:53:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T04:27:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"684\" \/>\n\t<meta property=\"og:image:height\" content=\"693\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Carlos Castillo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@carlosacastillo\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carlos Castillo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/\"},\"author\":{\"name\":\"Carlos Castillo\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe\"},\"headline\":\"New Android Malware Found in 144 GooglePlay Apps\",\"datePublished\":\"2017-11-14T22:53:28+00:00\",\"dateModified\":\"2025-05-28T04:27:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/\"},\"wordCount\":2515,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png\",\"keywords\":[\"android\",\"malware\",\"mobile security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/\",\"name\":\"New Android Malware Found in 144 GooglePlay Apps\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png\",\"datePublished\":\"2017-11-14T22:53:28+00:00\",\"dateModified\":\"2025-05-28T04:27:45+00:00\",\"description\":\"McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"New Android Malware Found in 144 GooglePlay Apps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe\",\"name\":\"Carlos Castillo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/729f5b9d2761341175762c5f10652607\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg\",\"caption\":\"Carlos Castillo\"},\"description\":\"Carlos Castillo specializes in the analysis of mobile threats and Android malware. Castillo performs static and dynamic analysis of suspicious applications to support McAfee\u2019s Mobile Security for Android product. He is the author of the McAfee-published white paper, \\\"Android Malware Past, Present, and Future,\u201d and wrote the \u201cHacking Android\\\" section of the book, \\\"Hacking Exposed 7: Network Security Secrets &amp; Solutions.\u201d As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America\u2019s Best Antivirus Research contest with a paper titled, \u201cSexy View: The Beginning of Mobile Botnets.\u201d Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogot\u00e1, Colombia.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/carlosacastillo\/\",\"https:\/\/x.com\/carlosacastillo\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/carlos-castillo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Android Malware Found in 144 GooglePlay Apps","description":"McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"New Android Malware Found in 144 GooglePlay Apps","og_description":"McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-11-14T22:53:28+00:00","article_modified_time":"2025-05-28T04:27:45+00:00","og_image":[{"width":684,"height":693,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1.png","type":"image\/png"}],"author":"Carlos Castillo","twitter_card":"summary_large_image","twitter_creator":"@carlosacastillo","twitter_site":"@McAfee","twitter_misc":{"Written by":"Carlos Castillo","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/"},"author":{"name":"Carlos Castillo","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe"},"headline":"New Android Malware Found in 144 GooglePlay Apps","datePublished":"2017-11-14T22:53:28+00:00","dateModified":"2025-05-28T04:27:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/"},"wordCount":2515,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png","keywords":["android","malware","mobile security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/","name":"New Android Malware Found in 144 GooglePlay Apps","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png","datePublished":"2017-11-14T22:53:28+00:00","dateModified":"2025-05-28T04:27:45+00:00","description":"McAfee\u2019s Mobile Research team has found a new Android malware in 144 \u201cTrojanized\u201d applications on Google Play. We named this threat Grabos.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/11\/20171109-Grabos-1-296x300.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"New Android Malware Found in 144 GooglePlay Apps"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe","name":"Carlos Castillo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/729f5b9d2761341175762c5f10652607","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg","caption":"Carlos Castillo"},"description":"Carlos Castillo specializes in the analysis of mobile threats and Android malware. Castillo performs static and dynamic analysis of suspicious applications to support McAfee\u2019s Mobile Security for Android product. He is the author of the McAfee-published white paper, \"Android Malware Past, Present, and Future,\u201d and wrote the \u201cHacking Android\" section of the book, \"Hacking Exposed 7: Network Security Secrets &amp; Solutions.\u201d As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America\u2019s Best Antivirus Research contest with a paper titled, \u201cSexy View: The Beginning of Mobile Botnets.\u201d Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogot\u00e1, Colombia.","sameAs":["https:\/\/www.linkedin.com\/in\/carlosacastillo\/","https:\/\/x.com\/carlosacastillo"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/carlos-castillo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/82102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/462"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=82102"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/82102\/revisions"}],"predecessor-version":[{"id":214525,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/82102\/revisions\/214525"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=82102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=82102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=82102"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=82102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}