Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.
Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.
Following the initial download, the app doesn’t request the suspicious permissions associated with malware and will initially mimic the activity the user expects – the latter is an increasingly common tactic by malicious software developers.
However, alongside this user-facing activity, the app secretly decrypts and executes a payloads in a multi-step process. The malicious app decrypts and executes a first-stage payload which when in turn decrypts and executes a second-stage payload. This second-stage payload contains a hardcoded URL which the malware uses to download a third-stage payload containing another malicious app.
Once installed on the device, Trojan Dropper is used to install other forms of malware – the malware has been spotted attempting to deliver the MazarBot banking trojan and various forms of spyware, but researchers note it can be used to deliver any malicious payload of the criminals’ choice.
Submitted by: Arnfried Walbrecht