8 malicious apps were detected on the Google Play store

by Olivia Morelli - - 2017-11-16

Corrupted applications drop a multi-stage malware on Android devices

Multi-stage malware targets Android users

According to the Android experts, eight malicious apps were spotted on the Google Play store that were developed to infiltrate a multi-stage malware on the devices. Despite the excellent ability to circumvent antivirus systems, the bogus programs were identified as Android/TrojanDropper.Agent.BKY by the professional security software.

Luckily, none of these harmful applications received more than several hundred downloads and were removed from the Android app store immediately. However, those who suffered from the attack were mainly located in Netherlands and reached the final stage of the malware^[1].

Malicious program passes through 4 phases to load a banking Trojan

Researchers from ESET^[2] explain that the malware is able to hide itself since it doesn’t ask any suspicious permissions to gain administrative rights at first and impersonates a legitimate activity that the app is supposed to perform.

After the installation, the malicious app stealthily decrypts and executes malware payloads in a 4-stage process. This activity is invisible to the users because they are deluded by the regular app procedures. Usually, they offer system optimization or other innocent services.

The first phase decrypts and executes a second-stage payload as mentioned above, which contains an URL that is hardcoded. Shortly after, it downloads a third-stage payload that disguises under a well-known app such as Adobe Flash Player or its update.

To confuse the victims even more, it delays the request to install the application for several minutes. If the user permits the installation of the app, it drops a final payload and takes over the administrative rights of the device.

According to our research, the final phase launches a banking Trojan that displays fake log-in pop-ups that steal usernames, passwords, and other credentials of the victims^[3].

Bogus applications show links to the infamous Android virus

The term Android virus^[4] is used to describe a group of malicious apps that are designed to either steal personal information or encrypt data and demand a ransom. This attack is not an exception since it possesses similar distribution techniques as other phone threats which are attributed to the Android malware.

Be aware that you should carefully introspect applications you attempt to download since hackers manage to create new methods used to hide the presence of the malware. This multi-stage infection might inspire other criminals to examine possible system vulnerabilities^[5] and use them to deliver new bogus programs to the Google Play store.

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ Pierluigi Paganini. Multi-Stage Android/TrojanDropper.Agent.BKY Malware Bypasses Google Play Detection Once Again. Security Affairs. Read, Think, Share.
^ Lukas Stefanko. Multi-stage Malware Sneaks into Google Play. We Live Security. Insights to the Latest IT Security News from ESET Experts.
^ Danny Palmer. Android security. Sneaky Three-stage Malware Found in Google Play Store. ZDNet. Technology News, Analysis, Comments and Product Reviews.
^ Jake Doevan. Android virus. How to remove? (Uninstall guide). 2Spyware. Security and Spyware News.
^ Security Vulnerabilities and Patches Explained. Search Results Communications Security Establishment.