Security researchers from FireEye discovered a new threat to devices Android. Αυτή τη φορά έρχεται σαν κλώνος του Google Play.
FireEye researchers Jinjian Zhai and Jimmy Su analyzed the behavior of the malware applicationand determined that the attacker uses a dynamic DNS server with Gmail's SSL protocol to collect the data sent by the application.
Once the fake app starts running, (it's called “googl app stoy,” it asks for admin rights and, instead of opening a UI window, presents messages error and informs the user that google app store has been deleted and its activity has stopped.
Upon closer inspection, the researchers noticed that it only deletes the app icon, but the app itself continues to run on background and starts using a range of five services. It has access to the list of apps running on the device and itself cannot be removed or uninstalled.
This is particularly important because victims need to run it only once to activate and begin to eliminate traces of suspicious activity they carry out. This is almost invisible, since the actual Google Play icon is still in place.
The malicious program seems to hide malicious software by compression and encryption. FireEye researchers managed to decipher and concluded that the evidence sent to cybercriminals are short text messages, digital signatures of certificates, and bank account passwords.
The two researchers could confirm that the digital signatures and other sensitive data were sent to the website "dhfjhewjhsldie.xicp.net."
They also found the SMS transmission data replacing a cached file on the phone with one that contained their own Gmail address.
An important research information is that only three scan engines from VirusTotal detected the sample as malicious.