Recently, ESET discovered a curious stealth attack directed at users Android . This is an application that, despite being a normal game, has an interesting additional element: it was packaged with another application called SystemData or resourceA , which undoubtedly is It stank. Why a normal game that is downloaded from the official Google Play Store Store includes another application called “system data”? Certainly, this application / game in particular is not an application of the system, as the name tries to suggest.
Although the packaged application is inadvertently placed in the device, you need to ask OK to user to install. The mobile application requesting permission for the installation is passed through the “Manage Settings” application (Manage configuration). After installation, it runs as a service on background .
ESET detects this Trojan installed games as Android / TrojanDropper.Mapin and Trojan itself as Android / Mapin . According to our telemetry data, Android users in India are currently the most affected, with the 73.58% of detections observed.
The Trojan backdoor takes control of the device and makes it part of a botnet , under the attacker. The Trojan set timers delaying the implementation of payload malicious. Thus, disguises the fact that the game Trojanized is responsible for the suspicious behavior.
In some variants of this infiltration, at least three days must elapse for the malware reaches the full functionality of a Trojan. Probably this delay which allowed him to spend as much time TrojanDownloader undetected by Bouncer , the prevention system malware of Google.
Next, the Trojan requests administrator rights and start devices communicate with your server’s C & C Remote . Android / Mapin contains multiple functions, such as promoting various notifications, download, install and launch applications, and obtain confidential user information; however, their main objective seems to be to display ads full screen on the infected device.
The most interesting thing about this Trojan is that it was available for download from late 2013 and 2014 for posing as the following games:
- Hill Climb Racing
- Plants vs Zombies 2
- Subway Surfers
- Traffic Racer
- Temple Run 2 Zombies
- Super Hero Adventure
malware Google Play climbed to between 24 and 30 November 2013 and 22 November 2014. According MIXRANK, Plants vs Zombies 2 was downloaded over 10,000 times before being removed from the site.
Around the same time, Optimizer System , Zombie Tsunami , Tom Cat Talk , Super Hero Adventure , Classic Brick Game and the aforementioned applications Google Play Store, packed with the same backdoor and from the same developers, jumped several alternative markets for Android applications.
also he discovered that the same backdoor was packaged with other applications uploaded by the developer PRStudio (not prStudio) in alternative markets for Android, some of which are referred to Store the official Google Play Store. This developer rose at least five other applications with Trojan: Candy crush or Jewel crush , Racing rivals , Super maria journey , Zombie killer highway and Plants vs Zombies to various third-party Android markets.
All of these infected games are still available for download from these markets. Infected applications are downloaded thousands of times. Here we can see the icons of the false games:
Applications infected
The application receives positive comments
The way they run this malware has some variations. In some cases, the Trojan is placed in the device and, 24 hours after they first run the downloaded application, asked the victim to install. This method is you less suspicious to the user and makes him believe that the application to install the application comes from the operating system.
Other versions of the Trojan not wait 24 hours, but start immediately. All variants are activated after you change connectivity when a new receiver of transmission is recorded in the manifest.
Change connectivity
When the connection is changed, it prompts the user to install the “application system”. The malware is passed by Google Play Update or Manage Settings .
If you choose Cancel instead of install, the installation request will increasingly change the connection appear. The average user will be convinced that this is a major upgrade and is likely at some point to install the application, even if only to get rid of the insistent notification . Then the trojan starts a service using its own registered transmission receiver, waiting for other changes to the connection.
When a connection, the states malware attempts to register Google’s servers Cloud Messages (GCM) to receive messages. After checking into GCM, Android / Mapin records the infected device on your own server. It sends the username, the Google Account , the IMEI , the ID log and its own name .
Device Registration attacker’s server
To avoid being uninstalled, the Trojan requires the user to activate the “Device Manager”
Device Manager
then notifies the remote server if it managed to activate the device manager correctly. Then publicity appears in a popup window full screen (interstitial). The interstitial advertising is displayed every time you change connectivity. To deliver these ads, misused the legitimate application AdMob SDK.
interstitial Advertisements
The Trojan communicates with the server using Google Cloud Messaging (GCM), because in this way you can meet to commands received from the server. Today, these types of communications are becoming increasingly frequent among the malware .
> Command
The Trojan does not implement all your features completely, and some of the not implemented used. There is a possibility that this threat is still under development and its creators continue to improve the Trojan in the future. Its main objective, controlled from the remote server, is to deliver ads to the end user aggressively, while pretending to be a system application.
You can also deliver other malware the user device. It has the ability to enable or disable interstitial advertising or banner ; change the publisher ID for the ads displayed; choose whether or not to show ads to the user; change the time delay between the ads shown; install, download and launch applications; push notifications; revoke the rights of device administrator; change the server that communicates the malware ; and create shortcuts on the main screen for URLs that install downloaded applications.
After executing each task received by GCM, the client device tells the remote server through HTTPS that the task was completed successfully.
The Trojan managed to rise smoothly to the store Google Play Store, probably because Bouncer had not implemented all the techniques of detection malware relevant. In this case, the emulation of a change network connectivity
Another interesting question is why did not analyze Bouncer statically executable file he surrendered along with other elements of the game gone. For this reason, the Trojan remained undetected and is openly distributed users. The developer “SHSH” rose to the Play Store the infected game “Super Hero adventure” and there may be more of his applications on the official Google store.
Eventually, the Trojans were eliminated Store Google Play but spent nearly a year and a half that were detected. Perhaps because of this and similar cases, Google announced that from March 2015, all applications and updates must go through a human review .
Best practices to prevent discharge of malware from the official Google store consist download applications from trusted developers and read comments from people who already are using. We must also consider whether the permits requested by an application for installation are justified.
If something happens suspect, send a sample to your supplier antivirus for analysis, explaining why you have to doubt application.
| Name of the app | package name | MD5 | Discovery |
|---|---|---|---|
| Zombie Highway | com.heighwayzombie | 2f6323af124f9fd57edb1482827f9481 | Android / TrojanDropper.Mapin |
| Plant vs Zombie | com.plantzombie | 8721901a2caaeb98a19e0fb909ce2569 | Android / TrojanDropper.Mapin |
| USubway Suffer | com.subwaysuffers | ba3c1894310d38aa814ad3c58f1c8469 | Android / TrojanDropper.Mapin |
| Climb racing | com.hillclimbrace | 87cc79d6f6795fea0df109e181d1a3e8 | Android / TrojanDropper.Mapin |
| Temple run 2 Zoombie | com.templerunzombies | d5afd7ba5b3bd24cd4fa5201882e1a9d | Android / TrojanDropper.Mapin |
| Traffic Racer | com.traficracer | 9cbfd66f35a36d9f75a89f342da9c784 | Android / TrojanDropper.Mapin |
| Google Play update | com. system.main | f8df9e2d21018badc7555a9233a8b53e | Android / Mapin |
| Arrange Block – Brick game | com.game.arrangeblock | d7facf652d3947a53f85431ba8a4cd4a | Android / TrojanDropper.Mapin |
| Manage Settings | com.appgp.main | 5586e93ac84317348904adfe01c9715c | Android / Mapin |
| Candy crush | com.tgame.candycrush | 745e9a47febb444c42fb0561c3cea794 | Android / TrojanDropper.Mapin |
| Manage Settings | com.appgp.main | c19896fdd3b96b9324c6b79cc39eca5b | Android / Mapin |
| Super maria adventure | com.game.supermario | 0d7c889e8a9be51a58041d55095f104f | Android / TrojanDropper.Mapin |
| Manage Settings | com.appgp.main | c19896fdd3b96b9324c6b79cc39eca5b | Android / Mapin |
| Super maria journey | com.tgame.maria | ee8e4e3801c0101998b7dfee33f35f95 | Android / TrojanDropper.Mapin |
| Google Play Update | com.appgp.main | 195432955e70ec72018ead058f7abc2d | Android / Mapin |
| highway Zombies killer | com.absgame. zombiehighwaykiller | 1516174c4a7f781c5f3ea6ac8447867b | Android / TrojanDropper.Mapin |
| com.appgp.main | f05ac3ac794ee8456db4d0331830d2d8 | Android / Mapin | |
| Plants Vs Zombies | com.tgame.plantvszombie | 10edaf2b4c25375644faf78a25790061 | Android / TrojanDropper.Mapin |
| Google Play Update | com.appgp.main | f8879f759b00ed9d406dd14ce450584b | Android / Mapin |
| Plants Vs Zombies | com.popcap.pvz_row | 9b72df484915ce589ade74e65ecdfaed | Android / TrojanDropper.Mapin |
<- # tablepress-114 from cache ->
Read: 8 tips to determine whether an application is legitimate Android
Author Lukas Stefanko, ESET
No comments:
Post a Comment