Security specialist discovered a new backdoor on Google Play executes commands from cybercriminals and enables them to remotely control infected Android devices and spy on users.
Under the name Android.Backdoor.736.origin, the malware spreads
as an OpenGL plug-in, which supposedly checks the version of the OpenGL ES graphical
user interface and downloads updates.
When running Android.Backdoor.736.origin, it will request access to several important system permissions that allow it to collect sensitive
data and work with the file system. Also, it tries to gain access
to the display of screen forms through the interface of other apps.
The malicious app has a button to check for updates to the
OpenGL ES GUI. After the button is clicked, the Trojan mimics the process
of looking for new versions of OpenGL ES, but in fact, it does not search.
Once the
victim closes the app
window, Android.Backdoor.736.origin removes the
icon from the list of apps in the main menu and creates a shortcut. The
malware wants to make it more difficult for the user to remove the Trojan later
because it is not affected by removing the link.
Android.Backdoor.736.origin is
constantly active in the background and can not only be started via the icon or
the shortcut but also automatically when the system is started and at the
command of cybercriminals via Firebase Cloud Messaging. The main
functions of the Trojan are an encrypted auxiliary file that is stored in a
directory with other program resources. This auxiliary file is decrypted
and loaded into the main memory each time Android.Backdoor.736.origin
is started.
The malware
maintains a connection to several servers from which it receives commands from
cybercriminals and to which it also forwards collected data. Cyber
criminals can also control the Trojan through the Firebase cloud messaging
service.
Android.Backdoor.736.origin is
able to perform the following actions:
· Transferring information to the server via SMS (the version of the Trojan being examined does not have the necessary permissions to do this);
· Transmission of information about telephone calls to the server;
· Transmitting data about the device location to the server;
· Download and run apk or dex files using the DexClassLoader class;
· Transferring information about installed apps to the server;
· Download and run executable files;
· Download files from the server;
· Transferring a defined file to the server;
· Transferring information about files in the specified directory or about files on the memory card to the server;
· Running a shell command;
· Start of defined activities;
· Download and install an Android app;
· View certain notifications;
· Request the authorization specified in the command;
· Submitting to the server a list of permissions granted to the trojan;
· Lock the device to sleep.
The Trojan encrypts
all data sent to the server using the AES algorithm. Each request is
protected by a key that is generated based on the current time. The server
response is also encoded with the same key.
Android.Backdoor.736.origin is
capable of installing apps in several ways:
· via the system package manager (only for system software);
· via a standard dialog where the user should agree to the installation.
So the pest is dangerous. It
is not only used for cyber espionage but can also be used for phishing
campaigns, as it can display windows and notifications with any
content. It can also download and install other malicious apps and run
random code. For example, Android.Backdoor.736.origin can download an exploit and execute it to gain root
privileges. Afterward, he has his hands free and can carry out any
actions in the Android system without the consent of the user.
Specialists have notified Google of the trojan it found. At the time this news was
published, the Trojan had been removed from the Google Play store.
Android.Backdoor.736.origin and
components of the malware are successfully located by Protegent Antivirus for
Android. Therefore, the malware does not pose a threat to Protegent users.

No comments:
Post a Comment