Trojanized Android games hide malicious code inside images

The attack was likely inspired by a technique demonstrated by researchers over a year ago

Over 60 Android games hosted on Google Play had Trojan-like functionality that allowed them to download and execute malicious code hidden inside images.

The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin.

Malicious Android apps were a common occurrence on Google Play until a few years ago when Google implemented more rigorous checks. This included an automated scanner called Bouncer that used emulation and behavior-based detection.

Bypassing Bouncer detection is not impossible, but is hard enough to keep most malware creators away. Most Android Trojans these days are distributed through third-party app stores, targeting users who have enabled the installation of apps from "unknown sources."

The authors of Android.Xiny.19.origin seem to have been a bit more determined. Their trojanized games are functional, but in the background they collect identifying information from targeted devices.

This information includes the phone's unique IMEI and IMSI identifiers, MAC address, mobile operator, country and language settings, operating system versions and more.

The attackers can also instruct the apps to display advertisements, to silently install or delete apps if root access is enabled on the phone and to launch APKs (Android application packages) that are hidden inside images.

The latter functionality, which uses steganography, is the most interesting feature of the malware and makes it harder to detect the malicious code.

"Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly," the Dr. Web researchers said in a blog post. "Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images."

After a specially crafted image is downloaded from the command-and-control server, the Trojan extracts an APK from it by using a special algorithm. It then loads the malicious code in the device's memory by using the DexClassLoader Android function.

The attack is very similar to a concept presented at the Black Hat Europe security conference in October 2014 by researchers Axelle Apvrille and Ange Albertini.

The two researchers showed at the time that they could hide an APK inside an image file while keeping the image valid when opened. However, when applying a decryption algorithm to it, they could recover the APK. Furthermore, the researchers even mentioned that DexClassLoader can be used to dynamically load the APK into memory, exactly as Android.Xiny.19.origin does now.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?