Warning: Android devices are being targeted by a new type of malware that can secretly download and purchase applications from the Google Play Store. It is also capable of stealing information, such as the configured Google account.
Codenamed Skyfin, the infection spreads by using a trojan known as Android.Downloader, which may be present in illegitimate applications found outside the play store. Google’s review process typically blocks malicious apps from ever appearing in the play store, keeping the users safe. So, any users who download apps from third-party sources may be exposed to attacks such as Skyfin.
Extreme caution is advised for anyone who wishes to download apps from outside the play store. Users are recommended to not install applications from external sources at all, but if you must then scanning the .apk files (using an up-to-date antivirus) prior to installing them is vital.
Security company Dr. Web says Skyfin can compromise the Google Play Store process to automatically download apps on users’ devices. These apps are not installed though, but the file is stored in the downloads folder to make sure that the user does not notice any difference on their phones.
“It steals a mobile device’s unique ID and the account of the device’s owner which are used to interact with Google services; it also steals various internal authorization codes for connecting to the Google Play catalog as well as other confidential data. Then the module sends this data to the main component of Android.Skyfin.1.origin, after which the Trojan sends the data to the command and control server along with the device’s technical information,” the security firm says.
Listening for instructions
The malware remains active in the background, listening for commands from the authors of the malware. It can search for a particular app in the Google Play Store, purchase and download it, accept the permissions dialog and even add reviews and rate apps.
So, the malware can be used to not only autonomously steal from a user (by downloading paid apps), but it can also increase the popularity of select Google Play applications without the users ever finding out what’s going on.
If that wasn’t enough, it turns out that Skyfin can even click on advertisements (full page and banner ads) inside apps, which gives the authors yet another means of revenue from compromised devices.
“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server. Another Android.Skyfin.1.origin modification is more general. It can download any application from the catalog. For this purpose, the cybercriminals provide the Trojan with a list of programs for download,” the firm says.
The most straightforward way to stay safe is to always keep an eye on the apps that you download from third party sources, never install APKs that seem suspicious or scan with an antivirus before installing.