Obfuscated Malware Discovered on Google Play

The McAfee Labs Mobile Malware Research team found early this week on Google Play a set of malware published by the developer account ValerySoftware:

20160809 Google Play malware 1

20160809 Google Play malware 2

Each one of these apps have been downloaded and installed up to 500 times, which means up to 3,000 devices could be infected by this threat.

Some characteristics of this malware:

  • Encrypted and obfuscated at many levels
  • Downloads APK files from external sources
  • Tries to install apps from Google Play without user interaction
  • Displays or silently accesses ads from multiple vendors of advertisement development kits
  • Leaks sensitive information
  • Receives commands to open and close applications
  • Receives commands to install and uninstall applications

Negative user reviews on the market are likely caused by the fact that these malicious apps provide no features at all. This Trojan pretends to be a game patch but is only a WebView function that locally loads a couple of HTML resources after requesting device admin privileges—probably to avoid uninstallation after its disappointing execution:

20160809 Google Play malware 3a 20160809 Google Play malware 3b 20160809 Google Play malware 3c

In the background, however, the malware loads and decrypts multiple .dex files to start malicious activities that go unnoticed.

20160809 Google Play malware 4

The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files.

For example, a JSON file that contains URLs of control servers is obfuscated in the decrypted .dex file that is dynamically loaded by the original .dex:

20160809 Google Play malware 5

20160809 Google Play malware 6

Based in the domain owner’s information in this malware, we can tie the authors to a group of known cybercriminals in Europe who host and distribute malware.

To pass unnoticed, the malware authors incorporated antiemulation techniques in the malicious code so the behavior could not be detected by automated dynamic test environments.

Some web resources such as png images, JavaScript, and HTML code are inside the .dex files though coded in Base64. These resources are related to banners and ads that the malware can selectively display. These resources are not possible to observe in the main APK without decrypting the third .dex file, classes3.dex.

The authors have Trojanized apps created with the Android Robo Templates framework to gain revenue from multiple ad libraries that are injected in the payload .dex, denoted in the following configuration class:

20160809 Google Play malware 7

From the main .dex file we can observe a downloader listener class that is ready to download APKs from a given URL. In the red boxes we see other injected classes from the malware:

20160809 Google Play malware 8

Although Google has been successful in improving the policing of malicious apps, this threat is a reminder that malware can still be present even in official stores. Your first check before installing an app should be reviews by other users. Also check that permissions the app requests are related to its functionality, and review the developer profile to look for other apps. Intel Security reminds you that if an app looks suspicious, you should not install it.

McAfee Mobile Security detects this Android threat as Android/Agent.FL and alerts mobile users if the malware is present. Follow this link for more information about McAfee Mobile Security.

To keep up with the latest security threats, follow @McAfee_Home on Twitter and like us on Facebook.

Leave a Comment

three × 4 =