Feb 1st, 2016

Don’t look now, but a nasty new malware is going around, and it could be manifesting itself inside one of the many games you’ve probably downloaded from Google Play. The malware was found by Dr Web’s research team.

Conexagon-Studio

Known as Android.Xiny.19.origin, the trojan is said to be embedded in over 60 games on the Google Play Store, some of which have been downloaded tens of thousands of times. Many of the games affected come from BILLAPPS, Conexagon Studio and Fun Color Games.

So, what does it do? Here’s a neat list for you:

  • Displays annoying advertisements
  • Downloads applications and prompts a user to install various software
  • Installs and deletes programs if root access is available on a device
  • Launches arbitrary apk files hidden in images received from the C&C server

That not enough? Here’s some of the phone data it’s found to send off to a remote server:

  • IMEI identifier
  • IMSI identifier
  • Information about the mobile operator
  • Presence of a memory card in a device
  • Country
  • Language
  • MAC address
  • Version of the operating system
  • Package name and a version of an application that the Trojan is incorporated into
  • Presence of the malicious application in the system folder

Long story short, it can install and do anything it wants on your phone if you’re rooted, and even if you aren’t rooted it performs enough suspicious activity to make us hurl. DrWeb says they’ve reported their findings to Google before releasing this report, though the games can still be downloaded through the Google Play Store as of the time of this writing.

It sucks that legit-looking games could be doing so much shady stuff, and it makes you wonder how many other apps and games on the Google Play Store are hiding in plain sight with this sort of venom.

How could this even happen when Google has taken measures to detect and reject apps with malicious code? The answer, DrWeb says, comes in the new tactic the malware makers use to hide files. Instead of using encrypted code, the no-gooders have resorted to using digital steganography to hide code within image files, a smart tactic considering an image file on its own isn’t enough to set off any red flags.

Be sure to avoid the games published by the developers named above, and it’s probably a good idea to start checking into the background of the developer for any app you download, because even if Google is trying their hardest to keep Google Play clean it seems they can’t quite catch everything just yet.

[Dr Web via Security Affairs]