Windows 10 News and info | Forum
June 26, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: New Android Trojan Gplayed Adapts to Attacker's Needs  (Read 139 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 30158

I Do Windows

WWW Email
« on: October 12, 2018, 12:39:39 PM »

A newly discovered piece of malware for Android raises the bar in terms of sophistication and flexibility, offering its operator adaptability to various tasks.

Cybercriminals are currently running tests on GPlayed but malware analysts warn that it is already shaping up as a serious threat.

The modular architecture extends its functionality through plugins that can be added without the need to recompile and update the package on the device.

Wide range of features

The operator can also inject scripts and send .NET code to the infected Android that GPlayed can compile and execute. it is built using the Xamarin environment for mobile apps and uses a DLL called "eCommon" that "contains support code and structures that are platform independent."

This model shows a new step on the evolution ladder, where code can migrate from desktop platforms to mobile ones, resulting in a hybrid threat.

It disguises itself on the device as the Play Store app, using an icon very similar to the original and the name "Google Play Marketplace." It asks for many permissions, including "BIND_DEVICE_ADMIN," which gives it almost complete control over the infected device.

Researchers at Cisco Talos analyzed GPlayed and discovered a hefty set of native capabilities covering spying, data exfiltration, and self-management functions.

Aside from the regular features for stealing messages and contacts, making calls and sending SMS, the trojan can also display USSD messages, start applications, wipe the device, add and remove web injects, collect payment card information and setting a new lock password.

Injecting JavaScript code is also on the list of features, giving the attacker the possibility to steal sensitive information the user types in a form field of any site they load.

This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location," the researchers say in a report today.

Trojan check payment info before grabbing it

Once on the Android device, GPlayed starts different timers for initiating various tasks: pinging the command and control (C2) server, enabling WiFi if it is turned off, register the device to the C2 server.

Its activity starts by delivering phone information to the attacker's server, such as model, IMEI, country, or the Android version running.

GPlay will try to gain more privileges by requesting admin rights and demanding access to the device settings. This is a potential red flag for users.

Collecting payment information is done by opening a fake Google Payment web page asking for a sum of money predefined by the attacker in order to use Google Services. The credit information is verified online before sending it to the C2.

According to Talos analysts, the version of GPlayed they saw targeted Russian speaking users, but it could be easily modified for a different language.

Its modularity makes it difficult to create a profile and removes restrictions to specific malicious activities. As such, it can be used as a banking trojan or ransomware just as easily.

« Last Edit: October 12, 2018, 01:57:18 PM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page June 07, 2019, 09:26:26 PM