60+ Malvertised Google Play Store Games Affecting Users Through Steganography.
On Google’s official Play Store 60 Android games have been discovered by Dr. Web that contains a malicious trojan named Android.Xiny and these games developed by the team of 30 different developers, but according to the Dr. Web's security staff description they were all packed and behaving in the same way.
That user whoever had downloaded this games, this trojan collected their personal information and sent it to a remote C&C which is a command and control server.
Android.Xiny can show ads and has the ability to download other malicious apps also.
The personal details that are gathered by Trojan includes the following:
- IMEI and IMSI identifiers
- Country and language settings
- Mobile operator information
- Phone’s MAC address
- OS version
- What type of memory card the device was using
And it's tough to find out that which app the trojan was using to collect all this information.
The last bit of information makes sense collecting only when you have multiple malicious apps deployed, which might lead you to think that all the games might have been created and implemented by the same bad actor.
And when this data sent to the C&C server, based on the victim’s phone specifications, the malware operator would tell the trojan to display ads on the user’s screen or escalate its presence on the device by downloading other malicious apps.
Android.Xiny can download and launch other apps into execution but it does not gain root privileges, this is the way by which attacker can get the full control of anyone's phone and it also contain powerful code.
A strange thing noted by Dr.Web‘s researchers for this campaign was the usage of steganography for downloading malicious apps. The Steganography by which the malicious apps are downloaded by which we can hide data in plain sight, usually inside images. The technique of steganography dates back to ancient Greece when people wrote secret messages on wood and covered them with beeswax so that the recipient could discover them by removing the layer of wax.
Android.Xiny’s operators chose to pack other Android apps inside a PNG image, instead of hiding its download via HTTPS traffic. This was done so because not many security researchers conducting reverse engineering would feel suspicious about downloading an image as their focus is usually on observing and attempting to track HTTPS traffic since it is a common avenue for malware distribution.
Currently, Dr.Web says that Google has failed to take down the apps it reported as infected with Android.Xiny.