There are over 60 Trojanized game apps on Google Play, researchers said.
The games look like other offerings but hide a Trojan (dubbed “Xiny”) that collects device information, shows unwanted ads, and can download additional malicious apps.
The offending developer accounts — Billapps, Conexagon Studio, Fun Color Games — are still up even though the researchers notified Google about them.
These accounts apparently are from the same attackers because the device information the Trojan collects is the name of the app in which it has been “folded” into.
Other information collected by the Trojan and sent to the C&C server are the device’s IMEI and IMSI, MAC address, information about the mobile operator, OS version, selected country and language, information about whether or not a memory card is in the device, and whether the malicious app is located in the system folder.
The Trojan can receive orders from the C&C, so the cybercriminals can make it display ads, download potentially malicious apps and prompt the user to install them, installs and delete programs if root access is available on a device, and launch arbitrary APK (Android application package) files received from the C&C server.
“The way APK files are launched looks as follows: Android.Xiny.19.origin downloads a specially created image, which contains the corresponding file object hidden with the help of steganography, from the server. Then the Trojan retrieves the apk file using a special algorithm. After that, the malicious application loads the file into RAM of the infected device using the DexClassLoader class,” said researchers at Dr. Web.
The theory behind the approach is so AV solutions would have a harder job detecting the malicious code, and so malware analysts would perhaps overlook the delivered image.