Jan 23rd, 2017

Researchers have detected a new type of Android malware that can do some pretty heinous things if you happen to be infected, including downloading apps from the Google Play Store and stealing your information.

This new malware is codenamed Skyfin and it infects devices with the help of a completely different malware known as Android.DownLoader. Android.DownLoader is usually distributed and spread through applications that are altered and then uploaded to third-party stores where users download it and infect their device unbeknowst to them.

According to security company Dr. Web, Skyfin is capable of compromising the Google Play Store process to automatically download new apps onto users devices. These apps can’t be installed automatically, but the file is stored in the downloads folder once it has been downloaded. Here’s how the firm describes the malware working.

“It steals a mobile device’s unique ID and the account of the device’s owner which are used to interact with Google services; it also steals various internal authorization codes for connecting to the Google Play catalog as well as other confidential data. Then the module sends this data to the main component of Android.Skyfin.1.origin, after which the Trojan sends the data to the command and control server along with the device’s technical information.”

What’s worse is once the malware is enabled on an infected device, it can search the Google Play Store for specific apps, purchase it, accept the terms of service, as well as leave reviews and rate apps on your behalf, all without you knowing the malware is doing this behind the scenes. Skyfin can even click on banner ads in infected apps, so hijackers can use infected devices to increase their revenue streams. Dr. Web described that process, too.

“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server. Another Android.Skyfin.1.origin modification is more general. It can download any application from the catalog. For this purpose, the cybercriminals provide the Trojan with a list of programs for download.”

So how can you prevent Skyfin from infecting your phone? The easiest way is to only download .apk files from the Google Play Store unless you completely trust the developer. Google has several algorithms at work that detect shady behavior in apps as soon as they’re uploaded by the creator, so it’s harder for these malware-infected apps to spread through the Play Store.

local_offer    android apps   Malware   Skyfin