Batu69 Posted January 29, 2016 Share Posted January 29, 2016 Doctor Web security researchers detected the Android.Xiny.19.origin Trojan that targeted dozens of games published on the Google Play store. The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements. The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color Games, BILLAPPS, and many others. Although Doctor Web has already informed Google about this incident, to this day, the affected applications are still available on Google Play. It is recommended that you do not download games from the store to devices without anti-virus software in the next few hours. At first glance, these affected games look similar to numerous such-like applications; and they are games indeed, with just one difference—while a user is playing a game, the Trojan is performing its malicious activity. Android.Xiny.19.origin sends the following information on the affected device to the server: its IMEI identifier and MAC address, a version and a current language of the operating system, and mobile network operator name. What is more, cybercriminals get information about accessibility of a memory card, name of an application, which the Trojan is incorporated into, and whether this application is in the system folder. However, the main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals' command. However, the way it is carried out is rather unique. To masquerade the malicious program, virus makers hide it in specially created images by applying steganography. Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly. Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images. Upon receiving a necessary image from the server, Android.Xiny.19.origin retrieves a hidden apk file with the help of a special algorithm and then executes it. Android.Xiny.19.origin can perform other malicious functions, such as to download and prompt a user to install different software, or to install and delete applications without the user’s knowledge if root access is available on the device. Besides, the malicious program can display annoying advertisements. Android.Xiny.19.origin is not yet able to gain root privileges. However, given that the Trojan is mainly designed to install software, it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications. Doctor Web security researchers would like to warn users against installing dubious applications even if they are published on Google Play. Dr.Web for Android successfully detects all the known applications containing Android.Xiny.19.origin, so they do not pose any threat to our users. More information about this Trojan Article source Link to comment Share on other sites More sharing options...
Petrovic Posted January 29, 2016 Share Posted January 29, 2016 Researchers Found 60+ Malware Infected Android Gaming Apps on Play Store For cybercriminals developing an Android malware is a piece of cake and the problem is Google just not care. According to Dr.Web’s security researchers, Google’s official Play Store is extremely unreliable because over 60 Android games available on this platform contain Android.Xiny, a malicious Trojan. It was also discovered that around 30 different developers were responsible for uploading these 60+ infected games. However, all the games were so similar in packaging and behavior that these appeared to be uploaded by the same source. When any of these games were downloaded by users, it resulted in compromising of their personal information, which was then transferred to a remote command and control server. The information collected includes IMEI and IMSI identifiers, mobile operator information, country and language settings, OS version, MAC address of the phone, kind of memory card inserted into the device and the app from where the Trojan was getting all the information. It makes sense that the Trojan collects information about the app because it happens when the system is infected with multiple malicious apps. This also highlights another fact that these games could have been developed and deployed on the Play Store by the same bad actor. The malicious Android.Xiny malware displays ads and also invites other malicious apps on the system after installing itself. When the data is transferred to the related command and control server, according to the phone specifications of the victim, the malware operator instructs the Trojan to escalate its presence in the device by getting other malicious applications deployed on the system along with displaying ads. Article source Link to comment Share on other sites More sharing options...
straycat19 Posted January 29, 2016 Share Posted January 29, 2016 1 hour ago, Petrovic said: For cybercriminals developing an Android malware is a piece of cake and the problem is Google just not care. That sounds like a personal comment and you don't have a damn thing to back it up. All the various app stores have been fighting trojans and other malware in their programs and it isn't an easy task but there is no way to stop 100% of anything. You always have the option of not adding anything to any of your devices but that's no guarantee that the manufacturer hasn't had an infected image in the factory that was used on thousands of systems and thus all are infected. Face it, the only thing in life that is absolutely 100% sure, without an iota of doubt, is death. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted January 30, 2016 Administrator Share Posted January 30, 2016 Threads merged. Link to comment Share on other sites More sharing options...
SURbit Posted February 4, 2016 Share Posted February 4, 2016 Trojanized Android Games Hide MALICIOUS CODE In IMAGES The attack was likely inspired by a technique demonstrated by researcgers over a year ago... The attack is very similar to a concept presented at the Black Hat Europe security conference in October 2014 by researchers Axelle Apvrille and Ange Albertini. The two researchers showed at the time that they could hide an APK inside an image file while keeping the image valid when opened. However, when applying a decryption algorithm to it, they could recover the APK. Furthermore, the researchers even mentioned that DexClassLoader can be used to dynamically load the APK into memory, exactly as Android.Xiny.19.origin does now. Over 60 Android games hosted on Google Play had Trojan-like functionality that allowed them to download and execute malicious code hidden inside images. The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin. Malicious Android apps were a common occurrence on Google Play until a few years ago when Google implemented more rigorous checks. This included an automated scanner called Bouncer that used emulation and behavior-based detection. Bypassing Bouncer detection is not impossible, but is hard enough to keep most malware creators away. Most Android Trojans these days are distributed through third-party app stores, targeting users who have enabled the installation of apps from "unknown sources." The authors of Android.Xiny.19.origin seem to have been a bit more determined. Their trojanized games are functional, but in the background they collect identifying information from targeted devices. This information includes the phone's unique IMEI and IMSI identifiers, MAC address, mobile operator, country and language settings, operating system versions and more. The attackers can also instruct the apps to display advertisements, to silently install or delete apps if root access is enabled on the phone and to launch APKs (Android application packages) that are hidden inside images. The latter functionality, which uses steganography, is the most interesting feature of the malware and makes it harder to detect the malicious code. "Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly," the Dr. Web researchers said in a blog post. "Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images." After a specially crafted image is downloaded from the command-and-control server, the Trojan extracts an APK from it by using a special algorithm. It then loads the malicious code in the device's memory by using the DexClassLoader Android function. SOURCE Doctor Web Report Link to comment Share on other sites More sharing options...
Batu69 Posted February 4, 2016 Author Share Posted February 4, 2016 Thread has been merged. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.