Researchers discovered a new trojan that pretends to be a Google service on infected Android devices.
The malware, named “GPlayed,” is a Trojan which labels itself “Google Play Marketplace” and uses a very similar icon to the standard Google Play app in order trick victims into believing the software is legitimate.
After running a malware analysis on it researchers discovered that GPlayed is extremely powerful because it has the flexibility and the ability to adapt after deployment.
The new threat is coded in .NET using the Xamarin mobile environment. The trojan also contains a number of interesting built-in capabilities. It is built on a modular infrastructure which is able to remotely load plugins in real-time or when the malware is compiled and packaged.
It has many destructive capabilities, that are similar to other malware strains in the same class. GPlayed is used for the theft of financial information and for espionage purposes. It can harvest banking credentials, monitor device location, steal device data, log keys, and more.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Once an Android mobile device is infected, the trojan will attempt to register the device with the malware’s command-and-control (C2) server and then exfiltrate private information at this point of the infection, including the handset’s model, IMEI, phone number, registered country, and the version of Android in use.
GPlayed will forward on any future message content and information relating to the sender to the C2.
The final stage of registration involves requesting additional permissions for the purpose of privilege escalation.
Once installed, the Trojan will wait for a time before activating eClient and a subclass called “GoogleCC.” This opens a Google-themed web page on the device without user interaction which requests the user’s payment information in order to use Google services.
If the victim enters their details, the information is whisked away to the C2 via HTTP. The stolen information is obfuscated through JSON and Base64 encoding.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.