Malicious Platform Independent Trojan GPlayed Disguised as Google Play Store

Newly discovered Trojan malware, which has been dubbed as GPlayed by the IT security experts at Cisco Talos, disguises itself as Google Play Store to trick users into downloading it. After getting installed, it steals location information and bank details from the device. Additionally, it is capable of transferring code between desktop and mobile platforms. This means, all the interconnected computers are currently vulnerable.

Cisco Talos researchers identified that the malicious Trojan is attacking Android devices at the moment. The Trojan can perform all sorts of actions once it is activated on the devices such as spying, data extraction, self-management, credit card data collection, locking the device, wiping data from the device, setting a lock password, and obtaining SMS and contacts information. Researchers believe that it features an unusually high level of design and implementation characteristics.

Privilege escalation and credit card requests made by a trojan (Image credit: Cisco Talos)

For your information, Trojan is a malicious software code launched as a harmless file but gradually spreads its control on the system to perform miscellaneous tasks. These may include spying on the user, harvesting user data and transmitting it to the attacker, etc. The attacker can keep on modifying the Trojan to perform higher level disruptions in the system.

Cisco Talos’ technical head for security Vitor Ventura posted a blog to explain how GPlayed was discovered and what it can do. Ventura writes that the Trojan can perform a variety of functions and uses a modular approach to further expand its features via plugins. Therefore, the base app package originally activated doesn’t need to be recompiled or updated.

This flexibility of the Trojan makes it quite a handy piece of software for cybercriminals. The malware is platform independent as mentioned above, which means it can attack both Windows-based and Android-based devices. For Android devices its package name is verReznov.Coampany. It asks users for a variety of permissions including BIND_DEVICE_ADMIN to acquire device administrator access.

The app has been labeled as Google Play Marketplace but the icon that it uses is very similar to the official Google Play Store. Using the Trojan, the attacker can inject scripts in the android system as well as compile new .NET code for execution.

The icon on the left according to researchers is trojan (Image credit: Cisco Talos)

Researchers also noted that the Trojan is in its testing phase and the malware is written in the .NET language while it is aided by the Xamarin environment for mobile apps. The malware also includes Reznov.DLL as its main DLL file (which also includes a root class titled eClient) that is responsible for performing most of its malicious activities. There is another DLL files eCommon.dll that contains the support code and Trojan structure.

It is obvious that the malicious app won’t be available on the authentic Google Play Store platform; hence, it is now following the ongoing trend where developers are skipping the App Store and Play Store and releasing their apps on their official websites.

Therefore, there is every possibility that unsuspecting users would download it and in the absence of strict security features of the Google Play Store, they will be putting their device in grave danger. Word of advice: only download apps from legitimate Google or Apple platforms.

Related Posts