Security experts have identified a couple of shady Russian applications that have been advertised on Google Play as “GTA 3 Moscow City”, “Super Mario Bros” and other popular games.
According to Symantec
, the rogue apps masqueraded a Trojan called Android.Dropdialer
and somehow managed to remain undetected from June 24 until recently. In the meantime, they’ve been downloaded tens of thousands of times by unsuspecting Android users.
Researchers believe that the malware has avoided detection by using a remote payload.
How does this work?
The component posted on Google Play, the first payload, doesn't contain any malicious code.
When installed, it prompts the user for product activation. In this case, before the second package is downloaded, the victim is presented with a set of rules which vaguely reveals that the process would involve some sort of cost, Lookout experts report
Those who agree to the rules are served an additional component called activator.apk
. This particular .apk, hosted on Dropbox, is installed just like a regular Android app, but it requests permission to send SMSs.
With both pieces of the puzzle installed on a phone, text messages are sent to premium rate numbers from Beeline or Mobile TeleSystems networks. As researchers explain, the first package utilizes the second one to send the SMSs.
Once the SMSs are sent, the second payload prompts to uninstall itself.
Basically, the malware remains undetected because the app posted on the Google Play is not actually malicious, but this means that the cybercriminals must convince their victims to install two different programs.
However, this may not be such a problem since many users click the OK
button without giving it too much thought, especially when they’re in a hurry to play some allegedly great games.
The owners of Android devices are advised to be extra careful when installing applications, even if they’re from trusted sources. If a game requests permission to access services that cost money or phone calls, it’s a clear indicator that something is suspicious.