Bad news for Android users, according to the security Doctor Web firm dozens of game apps in the Google Play Store have been infected with the Android.Xiny.19.origin Trojan. The malware could allow attackers to control the victim’s mobile device, by installing and running any kind of software (apk files), it also allows to display annoying advertisements.
“However, the main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals’ command. However, the way it is carried out is rather unique.” states a blog post published by Doctor Web.
The malware collects information from the infected device and sends them back to the command and control server, it gathers the IMEI identifier, the MAC address, version and language of the operating system and the mobile network operator’s name.
Experts at Doctor Web discovered more than 60 games infected by the Android.Xiny distributed in the Official Android Google Play Store. The malicious app were apparently deployed by over 30 different that used different names, including Conexagon Studio, Fun Color Games and BILLAPPS.
“At first glance, these affected games look similar to numerous such-like applications; and they are games indeed, with just one difference—while a user is playing a game, the Trojan is performing its malicious activity.” states Doctor Web.
Another interesting feature implemented by the authors of Android.Xiny is that the malware hides malicious program in specially created images by using steganography. Android.Xiny receives malicious images from the server and then retrieves the apk they contain.
The Android.Xiny malware is able to perform many other malicious operations without the user’s consent. The researchers noticed that despite it is not yet able to gain root privileges, it has the ability to download the proper exploit in order to gain root access to the device.
“Android.Xiny.19.origin can perform other malicious functions, such as to download and prompt a user to install different software, or to install and delete applications without the user’s knowledge if root access is available on the device.” continues the post.
“it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications.”
Doctor Web has already reported the discovery to Google.
Unfortunately, the fact that the malware author chose the Google Play to distribute the malware is not a novelty, in January Lookout firm discovered 13 Android apps infected with the Brain Test malware and available for download on the official Google Store.
(Security Affairs – Android, Android.Xiny, mobile)