ESET, a leading global cyber security company, has discovered another set of malicious apps in the official Android app store.
Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, the eight apps form a new family of legitimate-looking, multi-stage Android malware, and with delayed onset of malicious activity.
Eset has since notified Google’s security team about the issue. Google has removed all eight apps from its store; users with Google Play Protect enabled are protected via this mechanism.
Figure 1 – Six of the multi-stage downloaders discovered on Google Play
None of the apps, that have advanced anti-detection features had reached more than a few hundred downloads. The malware samples all employed a multi-stage architecture and encryption to stay under the radar. After being downloaded and installed, the apps tended not to request any suspicious permissions and even mimic the activity the user expects them to exhibit.
Along with this, the malicious app also decrypts and executes its first-stage payload which in turn decrypts and executes the second-stage payload, which was then stored in the assets of the initial app downloaded from Google Play. The steps remained invisible to the user and served as obfuscatory measures.
Figure 2 – Execution model of Android/TrojanDropper.Agent.BKY
The second-stage payload contained a hardcoded URL, from which it downloaded another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user was then prompted to install the downloaded app.
The app downloaded by the second-stage payload, disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, the app’s purpose was to drop the final payload and obtain all the permissions that payload needed for its malicious actions.
Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypted and executed the fourth-stage – and final – payload.
In all the cases investigated by ESET, the final payload was a mobile banking trojan. Once installed, it behaved like a typical malicious app of this kind: with potential to present the user with fake login forms to steal credentials or credit card details.
One of the malicious apps downloaded its final payload using the bit.ly URL shortener. Thanks to this, ESET was able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.
Figure 4 – Download stats for the final payload of one of the malicious apps, as of November 14, 2017
How to get rid of it
If you’ve downloaded any of these apps, you need to (i) deactivate admin rights for the installed payload, (ii) uninstall the surreptitiously-installed payload and (iii) uninstall the app downloaded from the Play Store.
To deactivate admin rights for the installed payload, go to Settings > (General) > Security > Device administrators and search for Adobe Flash Player, Adobe Update or Android Update.
To uninstall the installed payload, go to Settings > (General) > Application manager/Apps and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.
To uninstall the malicious app downloaded from the Play store, go to Settings > (General) > Application manager/Apps and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO.
Note that the settings structure may vary slightly depending on Android version.
How to stay protected
Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.
Young sociologist who heads health docket in Turkana
Moses Natome, who has been re-nominated by Governor Josphat Nanok, says he a team player and has in the past...
Kenya faces Sh103b annual shortfall for universal health coverage
Health PS Julius Korir says so far the government is only able to afford Ksh 12.4 billion annually to cater...
Supreme Court explains why it threw out petitions
The court ruled that NASA candidate Raila Odinga did not formally withdraw from the election but only declared his intention to withdraw
Time Raila stopped being a political enigma
Election seasons must be predictable so that the people and their chosen government can move on with the business of nation...
Nairobi-based US diplomat quits, blasts Trump
In a scathing resignation letter, Elizabeth Shackelford tore into the Trump administration and Secretary of State Rex Tillerson for undermining the work...
Half of Govt workers are drug addicts
NACADA survey shows alcohol abuse among employees in the public sector stands at 57.9 percent, higher than the national average...
Kenya’s economy to ‘bounce back’
Kenya’s economy is set to grow from the current 4.9% to 5.5% and 5.9% in 2018 and 2019 respectively, a...
Libya slavery scam: Africa has killed its own sun
African states have created the environment in their home countries that have made their citizenry so desperate and hopeless to...
Unique name that inspired KCPE star
As a biology teacher, Harrison Tanga was not fazed when he went to hospital to see his newborn child, unlike...
Youth turn to sex to soothe election pain
The struggle to make ends meet has left them disillusioned, apathetic and angry, according to the annual survey of nearly...