A new malware can secretly download and purchase applications from the Google Play Store, while also stealing things like account information, researchers said.
Skyfin can get to Android devices with the help of a different malware called Android.DownLoader, which mostly spends its time in third-party Android app stores.
That just means users downloading apps from any other store than Google’s end up exposed to these attacks, so they need to check each APK to make sure it does not suffer from an infection.
Skyfin can compromise the Google Play Store process to automatically download apps on users’ devices, said researchers from Dr.Web. These apps are not installed though, but the file ends up stored in the downloads folder to make sure the user does not notice any difference on their phones.
“It steals a mobile device’s unique ID and the account of the device’s owner which are used to interact with Google services; it also steals various internal authorization codes for connecting to the Google Play catalog as well as other confidential data. Then the module sends this data to the main component of Android.Skyfin.1.origin, after which the Trojan sends the data to the command and control server along with the device’s technical information,” researchers said.
Using the collected data, Android.Skyfin.1.origin connects to the Google Play catalog and simulates the operation of the Play Store application. The Trojan can execute the following commands:
• /search – search in the catalog for the simulation of a user action sequence
• /purchase – request that a program be purchased
• /commitPurchase – confirm a purchase
• /acceptTos – confirm consent to a license agreement’s terms
• /delivery – request link to download an APK file from the catalog
• /addReview /deleteReview /rateReview – add, delete, and rate reviews
• /log – confirm a program download in order to artificially inflate the total number of installs
The malware listens to a series of commands and can search the Google Play Store for a specific app, purchase it, accept terms of service should there be any, add reviews and rate apps.
“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server. Another Android.Skyfin.1.origin modification is more general. It can download any application from the catalog. For this purpose, the cybercriminals provide the Trojan with a list of programs for download,” Dr.Web researchers said.