Both “Super Mario Bros.” and “GTA 3 Moscow City” racked up 50,000 to 100,000 downloads after being posted June 24 on Google Play.
“What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered,” Irfan Asrar wrote in a blog post Tuesday. “Our suspicion is that this was probably due to the remote payload employed by this Trojan.”
Asrar last year wrote about this evasion-driven technique, in which the payload is broken into separate modules and delivered independently, making it easier to hide and inject in other apps. In the case of this malware, called Android.Dropdialer, the first stage was posted on Google Play. Once installed, it downloaded an additional package via Dropbox called Activator.apk that sends SMS messages to a premium-rate number tied to Eastern Europe.
“An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages—an obvious attempt at hiding the true intent of the malicious app,” Asrar said.
The security researcher noted that Android Security immediately revoked the threat once it was notified.