Symantec has identified a new malware posted to the official Google Play market. The threats were posted as two popular titles, one as “Super Mario Bros.” and the other was packaged as “GTA 3 Moscow City”. Both were posted to Google Play on June 24 and since then have generated in the range of 50,000 to 100,000 downloads.
What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered. Our suspicion is that this was probably due to the remote payload employed by this Trojan.
This is a technique I had discussed in a blog just about a year ago, whereby the author of a malicious app would break it up into separate, staged payloads in order to avoid detection of anomalies during the automated QA screening process. In the case of Android.Dropdialer, the first stage was posted on Google Play. Once installed, it would download an additional package, hosted on Dropbox, called ‘Activator.apk’.
Figure 2. Dispersed payload process of mobile threat
This additional package sends SMS messages to a premium-rate number. An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages—an obvious attempt at hiding the true intent of the malicious app. The premium SMS is targeting Eastern Europe.
We would like to thank Android Security for immediately revoking the threat after we notified them of this discovery.