Trojanized Android games hide malicious code inside images

The attack was likely inspired by a technique demonstrated by researchers over a year ago

Over 60 Android games hosted on Google Play had Trojan-like functionality that allowed them to download and execute malicious code hidden inside images.

The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin.

Malicious Android apps were a common occurrence on Google Play until a few years ago when Google implemented more rigorous checks. This included an automated scanner called Bouncer that used emulation and behavior-based detection.

Bypassing Bouncer detection is not impossible, but is hard enough to keep most malware creators away. Most Android Trojans these days are distributed through third-party app stores, targeting users who have enabled the installation of apps from "unknown sources."

The authors of Android.Xiny.19.origin seem to have been a bit more determined. Their trojanized games are functional, but in the background they collect identifying information from targeted devices.

This information includes the phone's unique IMEI and IMSI identifiers, MAC address, mobile operator, country and language settings, operating system versions and more.

The attackers can also instruct the apps to display advertisements, to silently install or delete apps if root access is enabled on the phone and to launch APKs (Android application packages) that are hidden inside images.

The latter functionality, which uses steganography, is the most interesting feature of the malware and makes it harder to detect the malicious code.

"Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly," the Dr. Web researchers said in a blog post. "Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images."

After a specially crafted image is downloaded from the command-and-control server, the Trojan extracts an APK from it by using a special algorithm. It then loads the malicious code in the device's memory by using the DexClassLoader Android function.

The attack is very similar to a concept presented at the Black Hat Europe security conference in October 2014 by researchers Axelle Apvrille and Ange Albertini.

The two researchers showed at the time that they could hide an APK inside an image file while keeping the image valid when opened. However, when applying a decryption algorithm to it, they could recover the APK. Furthermore, the researchers even mentioned that DexClassLoader can be used to dynamically load the APK into memory, exactly as Android.Xiny.19.origin does now.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?