Researchers have uncovered a new trojan that targets Android devices and disguises itself to look like the legitimate Google Play store app and has the ability to add functionality after it’s installed on a compromised device.
The trojan comes with a long list of capabilities, including the ability to exfiltrate text messages, send geolocation information for compromised devices, steal contacts, lock the device, and even wipe an infected device. Researchers on Cisco’s Talos team discovered the Trojan, which they’ve dubbed GPlayed, and have seen it submitted to public platforms that test antimalware detection for various files. That’s a common tactic for cybercrime groups who want to see whether a particular tool is detectable before they use it. The GPlayed malware looks to still be in the testing phase right now.
“What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed,” Vitor Ventura of the Talos team wrote in a post analyzing the GPlayed trojan.
“This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location. There are several indicators that it is in its last stages of development, but it has the potential to be a serious threat.”
Once it’s installed on a new device, GPlayed will register with its C2 server and then send a batch of sensitive information about the phone to the server. The trojan will send the model of the phone, its IMEI (international mobile equipment identity) number, and phone number to the remote server, along with the version of Android running on the device. The malware then loads a window that asks for admin privileges on the device and for permission to access the user’s contacts. Those screens won’t close until the victim approves the privileges.
GPlayed uses the same tactic to gather the victim’s credit card information, showing a persistent window that asks for the data in order to pay for some imaginary Google services.
“This will take the user through several steps until it collects all the necessary credit card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user,” Ventura said.
The trojan appears to be the work of professional developers, and Ventura said GPlayed’s adaptability makes it a particularly serious threat.
“The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the trojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy. The wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a ransomware,” he said.