14 DAY TRIAL // A new Android malware family named Viking Horde found on the Google Play Store allows attackers to commit click-fraud, SMS fraud, send spam messages, or even launch DDoS attacks from infected devices.
Discovered by security experts from Check Point, Viking Horde was found in five apps uploaded to the Play store, named Viking Jump, Parrot Copter, WiFi Plus, Memory Booster, and Simple 2048.
Google has removed these apps in the meantime, but Check Point researchers are claiming that the same methods used to upload these malicious apps past Google's app review process may be used again in the future to upload new apps.
Malware uses an anonymous proxy to carry out communications
Check Point says that Viking Horde is particularly dangerous because it can target both rooted and non-rooted devices, being extremely dangerous on rooted devices where an update component allows the crook to constantly send new packages to the malware that contain new attack features.
The malware works around a C&C server, from where the crook is sending instructions to all infected devices (called bots).
Communication between the server and the bot always takes place via an anonymous proxy. For each infected device, the C&C server sets up a separate proxy.
By utilizing this method, the Viking Horde operator can rest assured that nobody can track the botnet's activity back to his main server.
Viking Horde is mostly used to commit click-fraud
As for the malware's main mode of operation, Check Point says that in the vast majority of cases, Viking Horde was used to deliver ads to infected devices, and simulate user taps on those ads, helping the crook gain fees from affiliate advertising programs.
Here is also the place where the anonymous proxy comes in handy since it delays the moment at which these bots get blacklisted by advertisers.
Check Point says it discovered only one user complaining about SMS fraud, and that it only detected the technical capabilities to launch DDoS attacks and send spam, not actually seeing the botnet perform this types of attacks.
Researchers say that most of the infected users that downloaded Viking Horde-infected apps are from Russia, Spain, Lebanon, Mexico, and the US.
Last week, Russian antivirus maker Dr.Web discovered over 190 malware-infested apps on the Play Store, which it reported to Google who had them removed.
