In the past it was quite simple to secure your phone. It was enough to not install applications from untrusted sources. Unfortunately, malware is increasingly becoming increasingly commonplace, and has not been detected by the mechanisms used by Google to secure the official Play store that is used by all Android devices. This time, ESET employees report a threat known as TrojanDropper.Agent.BKY.
In such cases, Apple customers are often voiced to point to the benefits of a certain closure of the iOS system (Apple only allows the installation of applications from the official store). However, there was a flaw in the App Store, as the several official applications (including Angry Birds 2 game) were infected with XcodeGhost. In this particular case, the weakest poin was developers who downloaded the Xcode development environment from the unofficial site. Returning to the subject, the TrojanDropper.Agent.BKY virus was unnoticed by Google because the criminals decided to make quite complex attack vector, which consisted of four stages.
ESET experts found six applications infected by TrojanDropper.Agent.BKY in the Google Play store.
There are Clear Android, MEX Tools, Android Cleaner, World News, World News PRO and WORLD NEWS. All of them have already been removed by Google, and their total installation has not exceeded 13,000 devices. However, not every installation ended up with a device infection. The malicious code has been downloaded from the net nearly 3,000 times. What is the reason of this difference? All malicious applications did not raise suspicion of users, because there were no suspicious entries in the list of permissions. However, the infected program in the background unpacked and decrypted the first payload, which was supposed to do exactly the same with the second payload. Therefore, this double-secure portion of the malicious code was downloading in the background from an external server the third-stage payload, which contain the target malware code. After some time, the user will be prompted to install a well-known application (such as Adobe Flash Player) that requests access to the phone, and captures and sends SMS. In the end, a bank Trojan is installed on the user’s phone, which is responsible for capturing the login and password of the bank account and credit card information.