Security researchers find multistage Android malware on Google Play

Malware apps found on Google Play deliver their payload as a secondary app after installation

Lucian Constantin (IDG News Service)
11 July, 2012 18:15
Comments

Security researchers from antivirus vendor Symantec identified two malware apps on Google Play that used a multistage payload delivery system in order to remain undetected.

The apps, which have since been removed by Google, masqueraded as two games -- "Super Mario Bros." and "GTA 3 - Moscow city."

"Both were posted to Google Play on June 24 and since then have generated in the range of 50,000 to 100,000 downloads," Symantec security researcher Irfan Asrar said Tuesday in a blog post.

Once installed, the apps downloaded an additional package called Activator.apk from a Dropbox account and prompted the device owners to install it.

This secondary Activator app sent SMS messages to a premium-rate number located in Eastern Europe, after which it asked to be uninstalled.

The fact that the malicious payload was delivered in multiple stages is probably why the apps managed to remain undetected for so long on Google Play, Asrar said.

Earlier this year, Google started using an automated scanner called Bouncer to detect malware on Google Play. Bouncer runs all published apps in an emulated Android environment and monitors them for suspicious activity.

However, downloading a secondary app from a developer's server and prompting the user to install it might not necessarily represent malicious behavior.

This is not the first time when Android malware developers have used multi-stage payloads. The Android.Lightdd and Android.Jsmshider threats discovered in 2011 both downloaded additional components after the installation of an initial app.

There are several advantages to spreading the payload across multiple apps, Asrar said about those threats at the time. For one, the initial malicious app no longer needs to display an extensive list of permissions that might attract the user's attention.

Secondly, if the initial app is downloaded from the official Android marketplace -- now called Google Play -- the user is likely to assume that the additional apps also originate from there.

Symantec detects the two newly found malware apps as Android.Dropdialer. The Android security team immediately removed the threat after being notified by Symantec, Asrar said.

"New manager arrives, fires most of the apparently-underskilled staff rather than training ..."

Solving the skills conundrum – part 1
"How many of the Fortune 500 companies have access to PRISM? https://en.wikipedia.org/wiki/Industrial_espionage ..."

Australia suspected to have PRISM data: Ludlam
"I don't fall into their whinging crap . In the last eight ..."

Australia Post’s mail business to lose $200 million this year
"Australia Post may have a monopoly on letters, but there are heaps ..."

Australia Post’s mail business to lose $200 million this year
"Totally overblown. iWork is a joke for real productivity. It is like ..."

Microsoft's ambivalence about Office on the Web gives Apple shot with iWork on iCloud

Latest Blog Posts

Whitepapers

Spear-Phishing Email: Most Favored APT Attack Bait
This research paper presents findings on APT-related spear phishing from February to September 2012. We analysed APT-related spear-phishing emails collected throughout this period to understand and mitigate attacks. The information we gathered not only allowed us to obtain specific details on spear phishing but also on targeted attacks. We found, for instance, that 91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.

Learn more »
Choice and Control – Considerations for Developing Enterprise Cloud Strategies
Enterprise-wide cloud implementation can be a challenging process, requiring a thoughtful, strategic approach. In this whitepaper, IBM® shares considerations for developing enterprise cloud strategies. It looks into how the rapid-scale enterprise-class environment can help enable the type of agile infrastructure that aids organisations in quickly meeting the demands of an ever-evolving marketplace, thereby providing true business value. Read now.

Learn more »
McAfee Complete Endpoint Protection - Business
McAfee makes endpoint security painless for users and easy and efficient for IT. Built for strength, speed, and simplicity, McAfee Complete Endpoint Protection - Business suite helps growing organisations get Internet security right, from turnkey installation to rapid response. Find out more.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

Governance For All - Empowering IT and Business Content Owners

Governance for all is more than an IT initiative or a goal written in a plan document; it’s a strategy that unites IT and business content owners to achieve their ...

Recent comments

"New manager arrives, fires most of the apparently-underskilled staff rather than training ..."
Solving the skills conundrum – part 1
"How many of the Fortune 500 companies have access to PRISM? https://en.wikipedia.org/wiki/Industrial_espionage ..."
Australia suspected to have PRISM data: Ludlam
"I don't fall into their whinging crap . In the last eight ..."
Australia Post’s mail business to lose $200 million this year
"Australia Post may have a monopoly on letters, but there are heaps ..."
Australia Post’s mail business to lose $200 million this year
"Totally overblown. iWork is a joke for real productivity. It is like ..."
Microsoft's ambivalence about Office on the Web gives Apple shot with iWork on iCloud

Follow CIO

Market Place

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

SolveXia’s key tips for CIOs seeking improved productivity through automation. Click here

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Security 2013 Exhibition: 160 brands, new innovations, expert speakers & more, register now.

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Security researchers find multistage Android malware on Google Play

Recommended

Is ‘fit for purpose’ the new government IT ...

Better IT makes for happier employees: Deloitte

With budget, NSW government leads Australia on ICT: ...

Debating the digital economy

Why the fuss about big data?

Homeless multinationals and taxing decisions

10 Tips for Dealing with a Bully Boss

5 open source help desk apps to watch

How to define the scope of a project

Australia suspected to have PRISM data: Ludlam

PMBOK vs PRINCE2 vs Agile project management

Australia Post’s mail business to lose $200 million this year

Online shopping reaches mainstream status

Salesforce.com aims for next $1 billion business with ExactTarget buy

Australia suspected to have PRISM data: Ludlam

Why Agile Isn't Working: Bringing Common Sense to Agile Principles

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Governance For All - Empowering IT and Business Content Owners

Enterprise Mobility Management: Embracing BYOD Through Secure App and Data Delivery

Webroot® SecureAnywhere™ Business - Endpoint Protection Technocal Overview

How to Boost the CIO’s Personal Effectiveness

Analyst Paper: Total Cost of Ownership