14 DAY TRIAL // Russian security firm Dr.Web has discovered a new Android-targeting trojan that has the capability of buying and then installing applications hosted on the Google Play Store.
Named Android.Slicer, this trojan is embedded in a phone optimization app that offers to clean the device's memory, shutting down unused applications.
The app can also turn on/off a phone's Wi-Fi and Bluetooth module via quick commands shown on the user's homescreen in the form of a floating popup.
Your classic adware trojan...
This app ends up on devices either installed by users themselves or by other malware. Once it reaches a device, it will gather information about the smartphone and send it to its C&C server.
This includes the phone's IMEI identifier, MAC address, device manufacturer, and OS version.
At this point, the Android.Slicer C&C server will reply by telling the trojan to display ads, open a page in the user's browser, or open the Google Play Store on a designated app page.
... with a twist
In the latter case, security researchers have observed that, for devices running Android 4.3, Android.Slicer will download a rootkit named Android.Rootkit.40 that will root the device and give Android.Slicer enhanced control of the OS.
The trojan uses these new-found powers to tap on buttons shown inside the Play store app, such as the "Continue," "Install," and "Buy" buttons.
This functionality can lead to serious financial damage for infected users, but the good news is that Google prevents the rootkit from working on devices running the SELinux component, which comes with all Android versions 4.4 and higher.
Despite this intrusive behavior, Android.Slicer's main functions are to deliver ads to all infected devices.
Once the trojan installs these new apps, Android.Slicer can also add a shortcut to the user's homescreen for all the new apps it managed to install.
