Android Trojan Kills Google Play Protect, Spews Fake App Reviews


Android Trojan Kills Google Play Protect, Spews Fake App Reviews (Jan 11, 2019)

An Android malware strain has been identified by researchers at Kaspersky Lab. “Trojan-Dropper.AndroidOS.Shopper.a” is being used by threat actors to increase application installations and ratings to fool advertisers with false metrics. The trojan is a malicious app that is likely distributed through third-party app stores and is disguised as a legitimate system application for obfuscation. A malicious actor can disable the Google Play Protect service once the device is infected, and abuses the Accessibility Service, a known Android malware tactic, to conduct activities without needing user interaction. The actor can steal information from the device, such as email addresses, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), network type, and smartphone model, for exfiltration back to the actors’ servers. A series of commands is sent to infected devices with the intent to generate fake reviews, install apps onto the device, and register social media accounts to apps. According to Kaspersky Lab researcher Igor Golovin, the trojan is most widespread in Russia, Brazil, and India, accounting for over 61% of infected users.

Recommendation: It is always recommended users download applications directly from the Google Play store, avoid third-party app stores, and users should carefully read the permission an application will request prior to installation. It can also be useful to read the comments regarding the application to identify potential issues. Furthermore, trusted antivirus applications should also be run on mobile devices.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.