comscore
News

‘GPlayed’, a new trojan is infecting Android devices as it disguises itself as the Google Play Store

The malicious app uses an icon that is somewhat similar to the official “Google Play Store” and it labels the app as “Google Play Marketplace”.

  • Published: October 15, 2018 11:55 AM IST
GPlayed Trojan

Image credit: Talos Security


Security researchers have discovered a new trojan that is attacking Android devices in the market. For the uninitiated, Trojan is a malicious piece of software that usually arrives masking itself as a harmless file and slowly gains a foothold in the system after activation to perform a number of tasks. These tasks include anything from spying, to user data harvesting and then sending the data to the hacker. The hacker can even modify the trojan to better fit the needs to the task. Moving back to the story, the trojan at the center is known as ‘Gplayed’ and it was discovered by security researchers working at the Talos Security division of Cisco.

According to the dedicated blog post by security researcher and the technical head for Talos Security, Vitor Ventura, the trojan comes with a wide range of features. The interesting thing to note about the trojan is that it uses a modular approach to expand its features with the help of plugins. This means that the original, base app package on the device does not need to be updated or recompiled. The flexibility of the trojan makes it “very effective” for cybercriminals. In addition to that, the malicious app also uses an icon that is somewhat similar to the official “Google Play Store” and it labels the app as “Google Play Marketplace”.

Watch: Google PixeHands-Onands On

Other details state that the hacker can use the trojan to inject scripts in the system and even compile new .NET code for execution. The analysis noted that this trojan is currently in the testing phase but the researchers felt that it needs to be highlighted because of its capabilities. This is not all as the malware is written in the .NET language with the help of “Xamarin environment for mobile” apps. It includes “Reznov.DLL”, the main DLL file that makes everything work. Looking a bit more closely, the DLL includes a root class with the name “eClient” which is the core of the malware.

Image credit: Talos Security

The malware uses another DLL file by the name “eCommon.dll” which includes the support code and structure for the trojan. It is worth noting that all this is platform independent which means that same trojan can attack Android-powered as well as Windows-powered devices. The package name for Android is “verReznov.Coampany”. The trojan required a number of permissions which includes “BIND_DEVICE_ADMIN” asking the user to give the trojan, the device administrator access.

Any app that has device administrator access has full control of the device that would cause a lot of damage. The device comes with usual spying capabilities, self-management, data extraction which includes SMS and contacts, collecting credit card information, setting a lock password, locking the device, and even wiping the device. The analysis concludes that malware shows a “design and implementation” “of an uncommonly high level”. This is likely to get serious as more and more developers shift to the model of delivering their apps directly to the customers where users are not as aware to identify the legitimate website or app from the malicious one.

  • Published Date: October 15, 2018 11:55 AM IST