Researchers say that the malware is part of a larger attack

Oct 19, 2012 08:00 GMT  ·  By

Yesterday, we reported that mobile security firm Lookout was warning customers about a shady application stored on Google Play that mimicked an update for their Android app. Experts from TrustGo have thoroughly analyzed the threat.

Although the malicious element has been removed from Google Play, it’s still worth looking at because its capabilities are interesting, to say the least.

According to researchers, once it found itself on an Android smartphone, the malware – Trojan!FakeLookout.A – was capable of stealing SMS and MMS messages and upload them to a remote server via FTP.

The Trojan also sent its masters a list of the files present on the device’s SD card. Based on this list, cybercriminals could upload specific files.

TrustGo experts accessed the FTP server on which the stolen files were stored and they found not only SMS messages but also some video files.

The server, apparently located somewhere in Colorado, US, also hosts a malicious website that’s designed to drop a backdoor Trojan.

Interestingly, this website serves the malware not only to Windows users, but also to ones running Mac OS and Linux operating systems. Depending on the OS, the site drops a different Trojan.

As it turns out, the malware found on Google Play is just a part of a larger attack.

Judging by the complexity of the campaign, it’s likely that the cybercriminals who run it will somehow resurrect the Android Trojan (if they haven’t done so already) and disguise it as another legitimate-looking app.

Since it could be anything from a popular game to a different mobile security application, Android users are advised to be extra cautious when installing apps, even if they’re downloaded from a trusted source.

Google Play is trying hard to keep the app market clean, but it’s clear that some threats will always slip by.