A newly discovered Android Trojan can download applications from Google Play, but saves them onto the SD card instead of installing them, to keep this malicious activity hidden from the user, Doctor Web researchers warn.
Detected as Android.Skyfin.1.origin, the malware was designed to infiltrate running Google Play processes to engage into software downloading activities. The malware is believed to be distributed via Trojans in the Android.DownLoader family, which usually gain root access onto infected devices and covertly install additional malicious applications into the system directory.
According to Dr.Web security researchers, because Trojans such as Android.DownLoader.252.origin and Android.DownLoader.255.origin contain snippets of code that are characteristic to that of Android.Skyfin.1.origin, it’s likely that Skyfin is distributed specifically by those malicious applications, since they are related to it.
When launched on the infected machine, the malware injects a second module called Android.Skyfin.2.origin in the process of Google Play. This module is designed to steals the mobile device’s unique ID, along with device owner’s account, as well as internal authorization codes for connecting to the Google Play catalog, and various other confidential data.
The stolen information, which allows the malware to interact with Google services, is passed to the main component of Android.Skyfin.1.origin. The Trojan also sends all of the gathered data, along with the device’s technical information, to the command and control server.
The malware abuses the stolen data to connect to the Google Play catalog and simulate the operation of the Play Store application. Some of the commands it can execute include searching in the catalog to simulate user action, request application purchases, confirm purchases, confirm consent to a license agreement’s terms, and request link to download an APK file from the catalog.
Additionally, the malicious program was designed to add, delete, and rate reviews in the Google Play marketplace, as well as to confirm a program’s download, which artificially inflates the total number of installs for that application.
Downloaded programs, however, are not installed, but instead saved to the SD card, which prevents victims from noticing an increase in the number of applications on their devices. This also means that the Trojan is likely to stay unnoticed on the infected devices longer, where it can continue increasing the number of installs of specific Google Play applications and artificially raising their popularity.
The security researchers explain that several modifications of the Trojan are at large, including one that can download any app from the store, based on a list of software that the cybercriminals provide the malware with. Another variant can download only one program, namely com.op.blinkingcamera.
“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server,” the security researchers reveal.
Because Android.Skyfin.1.origin is installed in the system directory, only anti-malware applications that have root access on the infected device can remove it, Doctor Web notes.