Researchers at Cisco Talos have discovered a new Trojan called GPlayed that labels itself as “Google Play Marketplace” and uses an icon that looks like a Play Store icon.
Researchers at Cisco Talos have discovered a new Trojan that masquerades as the Google Play Store when infecting an Android device. Dubbed, the ‘GPlayed’ Trojan not only labels itself as “Google Play Marketplace”, but also uses an icon to look like a Play Store icon. Researchers note that the Trojan is “extremely powerful” because it has the ability to “adapt after deployment”. It has been mentioned that it has the ability to remotely load plugins, inject scripts and even edit new .NET code.
“Our analysis indicates that this Trojan is in its testing phase but considering its potential, every mobile user should be aware of GPlayed. Mobile developers have recently started avoiding the traditional App Store and instead want to deliver their software directly in their own way. But GPlayed is an example where it could be wrong, especially if a mobile user doesn’t know how to tell the difference between a fake app and a real app, “Cisco Talos researchers warned in their blog post.
It was mentioned that plugins can be added at runtime, or added as package resources during packaging. As a result, people behind the app can add to the app’s capabilities without the need to re-compile and upgrade the Trojan package on an infected device. “It’s a full-fledged Trojan whose powers range from a banking Trojan to a full-fledged spy Trojan. This means that the malware can do anything from collecting the user’s banking credentials to monitoring the device’s location, “the researchers said.
When enabled, the GPlayed Trojan will start performing many different tasks and will try to communicate with its command and control server to register the device. This will include personal information such as phone model, IMEI number, phone number and country. Ultimately, the Trojans will try to increase and maintain privileges. It requests administrator privileges on the device and asks the user to allow Trojan access to the device’s settings. The screen asking for user approval will not close until the user approves the privilege extension. If the user manages to close the window, the screen will pop up again after a while.
Cisco Talos researchers say the Trojan is in the final stages of testing and appears to be directed at Russian-speaking users. Researchers also point out that as companies try to deliver their software directly to users, these threats become more common and put users at risk who are unable to distinguish between a real app and a fake app.