Is your device at risk? Only Google knows
If you frequently download and use Android gaming applications on your device, then this part might frighten you slightly. According to a blog post by Dr.Web, over 60 Android games present on Google Play Store had Trojan-like attributes that effortlessly allowed them to download and execute malicious code hidden inside images.
A group of researchers from Russia discovered these rogue apps from Russian antivirus vendor Doctor Web and had been reported to Google last week, referring to them as Android.Xiny.19.origin. Before the tech giant decided to look carefully on its Play Store, malicious Android apps were an omnipresent element. Google managed to keep things in rigorous checks through an automated scanner called Bouncer that used emulation and behavior-based detection.
While bypassing Bouncer detection is not impossible, it is sufficient enough to keep most malware creators at bay. However, the authors of Android.Xiny.19.origin were much more ambitious. This is because their trojanized games are functional, but in the background they collect identifying information from targeted devices. This information could range from the phone’s unique IMEI and IMSI identifiers, along with its MAC address, mobile operator, country and language settings, operating system versions and several more things.
Additionally, these attackers also have the capability to instruct the apps to display advertisements, and to either install or delete apps silently if root access is enabled on the phone. The researchers have posted their findings below:
“Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly. Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images.”
After the crafted image is downloaded, the Trojan extracts an APK from it by using a special algorithm. It then loads the malicious code in the device’s memory by using the DexClassLoader Android function. Also, the two researchers displayed that they could hide an APK inside an image file while keeping the image valid when opened. However, when applying a decryption algorithm to it, they could recover the APK.
Furthermore, the researchers mentioned that DexClassLoader can be used to dynamically load the APK into memory, exactly as Android.Xiny.19.origin does now. Now that Google has been notified of this, hopefully the will come up with a suitable fix, or fixes.