Security researchers from FireEye have discovered a new threat for Android devices. This time he comes as his clone Google Play.
FireEye researchers Jinjian Zhai and Jimmy Su analyzed the behavior of the malware applicationand determined that the attacker uses a dynamic DNS server with Gmail's SSL protocol to collect the data sent by the application.
Μόλις η ψεύτικο εφαρμογή αρχίσει να τρέχει, (ονομάζεται “googl app stoy,” ζητάει δικαιώματα διαχειριστή και, αντί να ανοίξει ένα παράθυρο του UI, παρουσιάζει messages λάθους και ενημερώνει το χρήστη ότι η googl app stoy έχει διαγραφεί και η δραστηριότητα της έχει σταματήσει.
After a closer examination, the researchers noticed that it only deletes the application icon, but the application itself continues to work in the background and is starting to use a range of five services. It has access to the list of apps running on the device and can not be removed or uninstalled.
This is particularly important because victims need to run it only once to activate and begin to eliminate traces of suspicious activity they carry out. This is almost invisible, since the actual Google Play icon is still in place.
The malware appears to hide the malware with compression and encryption. Οι ερευνητές της FireEye κατάφεραν να το αποκρυπτογραφήσουν και κατέληξαν στο συμπέρασμα ότι τα στοιχεία που αποστέλλονται στους εγκληματίες του κυβερνοχώρου είναι σύντομα μηνύματα κειμένου, τις ψηφιακές υπογραφές των πιστοποιητικών, και τους κωδικούς πρόσβασης τραπεζικών λογαριασμών.
The two researchers could confirm that the digital signatures and other sensitive data were sent to the website "dhfjhewjhsldie.xicp.net."
They also found the SMS transmission data replacing a cached file on the phone with one that contained their own Gmail address.
An important research information is that only three scan engines from VirusTotal detected the sample as malicious.