GPlayed Trojan Masquerades as Google Play to Attack Android Devices: Cisco Talos

Researchers have identified a new Android Trojan, dubbed as 'GPlayed', that comes with several built-in capabilities. The Trojan is said to be extremely flexible, which makes it a very effective tool for cyber-attackers. It has been found to be resembling a popular Google service on infected Android devices - the Google Play store. In order to fool users into believing that it is legitimate software, the malware essentially labels itself as 'Google Play Marketplace' and uses an icon that is similar to the original Google Play app icon. The researchers who found the malware claim that it is extremely powerful because of its capability to adapt during deployment.

As per a blog post by researchers at Cisco Talos, the GPlayed Trojan's design and implementation are of "an uncommonly high level," making it a dangerous threat. They said that such threats will become more common, as more companies decide to publish their software directly to consumers. GPlayed is said to be a full-fledged Trojan with capabilities ranging from those of "a banking Trojan to a full spying Trojan." This essentially means that the malware can do anything from "harvest the user's banking credentials, to monitoring the device's location." This Trojan also shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms without any effort.

According to the blog post, the malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." and it contains one root class called "eClient," which is the core of the Trojan. It added, "The imports reveal the use of a second DLL called 'eCommon.DLL.' We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities."

The GPlayed Trojan is highly evolved in its design, says Vitor Ventura, the author of the blog post. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime. The blog adds, "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the Trojan package on the device."

To achieve adaptability, the operator has the capability to remotely load plugins, inject scripts, and compile new .NET code that can be executed. "Our analysis indicates that this Trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one," Ventura adds.

The Cisco Talos blog provides a list of URLs, Hash Values, and Custom Activity Prefix as indicators of compromise. It has also provided a bunch of ways its products can be used to detect and block GPlayed-like attacks. Cyber attackers are said to be running tests on GPlayed but the Cisco researchers have warned that it is shaping up as a serious threat.

Ventura added, "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful."