Android.Dropdialer Identified on Google Play

Symantec has identified a new malware posted to the official Google Play market. The threats were posted as two popular titles, one as “Super Mario Bros.” and the other was packaged as “GTA 3 Moscow City”. Both were posted to Google Play on June 24 and since then have generated in the range of 50,000  to 100,000 downloads.

What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered. Our suspicion is that this was probably due to the remote payload employed by this Trojan.

This is a technique I had discussed in a blog just about a year ago, whereby the author of a malicious app would break it up into separate, staged payloads in order to avoid detection of anomalies during the automated QA screening process. In the case of Android.Dropdialer, the first stage was posted on Google Play. Once installed, it would download an additional package, hosted on Dropbox, called ‘Activator.apk’.

Figure 2. Dispersed payload process of mobile threat
This additional package sends SMS messages to a premium-rate number. An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages—an obvious attempt at hiding the true intent of the malicious app. The premium SMS is targeting Eastern Europe.

We would like to thank Android Security for immediately revoking the threat after we notified them of this discovery.

[Source -http://www.symantec.com/connect/blogs/androiddropdialer-identified-google-play]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s