Nowadays malware developers are looking for ways to trick their way into the Playstore after Google enabled the new Google Play Protect system. Usually, malware simply starts malicious activity on the onset, but with this new breed, multiple stages are involved before any harmful work commences.
Which apps are infected
ESET, a leading global cyber security company, has detected Android/TrojanDropper.Agent.BKY, it is a new multi-stage malware that has already been implemented into 6 apps that have since been removed from the Play Store. The apps include; MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO. The 6 apps avoided detection through breaking down their malicious activities into 4 stages.
How the multi-stage malware works
After installing either of the apps, you would not be requested to give consent to any suspicious permissions. The app would simply work as advertised but in the background, it would decrypt and execute first-stage payload which would in turn decrypt and execute the second stage payload. The second-stage payload contained a hardcoded URL, from which it downloaded another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user was then prompted to install the downloaded app.
This downloaded app would be disguised as either Adobe Flash Player, Android Update or Adobe Update. This app then asks for very suspicious permissions but the unaware user would not be cautious due to the use of a familiar disguise.
Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypted and executed the fourth-stage – and final – payload. In all the cases investigated by ESET, the final payload was a mobile banking trojan. Once installed, it behaved like a typical malicious app of its kind: with potential to present the user with fake login forms to steal credentials or credit card details. Two of most recent samples of Android/TrojanDropper.Agent.BKY were caught downloading either MazarBot, a notorious banking trojan, or spywareGiven its nature, this downloader can deliver any payload of the criminals’ choice as long as it doesn’t get flagged by the Google Protect mechanism.
How to protect yourself
If you’ve downloaded any of these apps, you need to (i) deactivate admin rights for the installed payload, (ii) uninstall the surreptitiously-installed payload and (iii) uninstall the app downloaded from the Play Store.
To deactivate admin rights for the installed payload, go to
Settings > (General) > Security > Device administrators
and search for Adobe Flash Player, Adobe Update or Android Update.
To uninstall the installed payload, go to
Settings > (General) > Application manager/Apps
and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.
To uninstall the malicious app downloaded from the Play store, go to
Settings > (General) > Application manager/Apps
and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO.
Note: The settings structure may vary slightly depending on Android version.
How to stay protected
Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial to check app ratings and comments, pay attention to what permissions the app requests for, and run a quality security solution- like ESET- on their mobile devices