2 Million Downloads: Malicious ‘Game’ Apps on Google Play Exposed

Android.FakeApp.1669 is a unique trojan that leverages a modified dnsjava library to fetch malicious links from specific DNS servers when connected to certain internet providers, which allows the trojan to remain dormant until activated by specific network conditions, making it more difficult to detect and mitigate. 

It is a Trojan horse disguised as various legitimate programs, downloaded over 2 million times from Google Play, as these malicious modifications compromise user devices, potentially stealing sensitive information and causing other harm.

Multiple instances of the trojan known as Android.FakeApp.1669 was discovered by the analysts while they were searching for legitimate apps on Google Play. 

These malicious apps, including productivity tools, recipe books, and games, have collectively been downloaded over 2 million times. While some of these apps have been removed from the store, others remain available, posing a significant security risk to users.

Example of the programs in which Android.FakeApp.1669 was hidden

Android.FakeApp.1669 queries its C&C server for a TXT record associated with a target domain. This record, if received, contains the malware’s configuration, which is only delivered to devices connected via specific mobile internet providers.

The DNS server leverages domain names to send unique configurations to Trojan-infected devices, which encoded in subdomain names reveal sensitive device details like model, screen size, installation time, battery status, and developer settings status. 

The trojan did not receive a configuration from the C&C server and launched as a normal app

Android malware variants, disguised as legitimate apps, requested DNS TXT records from specific domains to receive malicious payloads. These domains, with complex names, were used to deliver additional malicious components to the infected devices.

After the TXT records have been processed, the decrypted content is extracted by reversing, decoding with Base64, decompressing with gzip, and splitting into lines using the ÷ character.

 the malicious program displayed the contents of a loaded online casino website

The extracted data includes the URL `hxxps[:]//goalachievplan[.]pro`, the advertising ID `DF3DgrCPUNxkkx7eiStQ6E`, and the operating system ID `f109ec36-c6a8-481c-a8ff-3ac6b6131954` from the TXT record for the Goal Achievement Planner app.

The Android Trojan, Android.FakeApp.1669, disguises itself as a benign application but secretly loads malicious web content within its WebView component, which redirects users to online casinos through a series of concealed links, effectively transforming the app into a web-based casino platform. 

According to Dr.Web, the malware, even without direct internet access, can function as a legitimate program due to built-in functionality, ensuring its persistence and potential for future activation.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here