A rogue and malicious app that billed itself as a “Guide for Pokémon GO” managed to make it into Google Play’s marketplace. Once installed, the malware-laced app gave attackers root access to any Android device it was installed on.
The app, actually a Trojan in disguise, contained a nasty piece of code that went onto root unsuspecting users’ devices, according to Roman Unuchek, a senior malware analyst with Kaspersky Lab’s Global Research and Analysis Team, who published research on the find Wednesday.
The app was downloaded more than 500,000 times before Kaspersky Lab reported it to Google, which removed it from the store earlier this week.
While half a million users were tricked into downloading the app is impressive, what’s potentially scarier is that 6,000 of those users were successfully infected by it. The app was geared towards English speaking users but its victims were mostly confined to Russia, India, and Indonesia, according to Unuchek.
A description on Google Play claimed the app was a guide, consisting of several tips and tricks for the popular game.
According to Unuchek, who described the Trojan in a Securelist post, the app evades detection by decrypting the executable in a commercial packer. The file doesn’t start when a user opens the app however. Once unpacked, a dormant, obfuscated module waits for the user to install or uninstall another app before running.
Even after the user opens the app and the malware determines it is running on a device, it waits two hours before starting its malicious activity. Surprisingly, the Trojan is even more wary when it comes to communicating with the command-and-control server (CnC). It waits two more hours in between requests, allowing the attacker to select which devices they want to target.
“If the server wants the Trojan to continue it will respond with an ID string. Only if the Trojan receives this ID string will it make its next request to the CnC. If it doesn’t receive anything, it will wait for two hours and then resubmit the first request,” Unuchek writes.
Once it starts firing on all cylinders the Trojan begins dropping encrypted local root exploit packs and backdoors – some dating back to 2012, including one used by Hacking Team. The exploit eventually grant the attacker root access to the device. From there, it goes ahead and installs modules into system folders, silently installs and uninstalls apps, and displays unwanted ads to victims.
Like many Trojans, the malware, which Kaspersky Lab is calling HEUR:Trojan.AndroidOS.Ztorg.ad, sends information about the infected device, including the country it’s in, its language, device model, and OS version.
Time and time again malware makes it past security mitigations established in Google’s marketplace. In June, Play was hit by a scourge of auto-rooting malware. Like the Pokemon GO malware Kaspersky Lab found, the malware quietly auto-rooted infected devices before it was removed by Google. Earlier this year apps purporting to be games actually downloaded and installed malicious APKs on infected devices. The intent of that malware was monetization through installation. Experts at Lookout, who discovered the malware, said it could also be used to exfiltrate data if attackers wanted.
According to Unuchek, the fake Pokémon Guide app wasn’t the only app that contained the Trojan modules; nine others, including a “Digital Clock” app which had more than 100,000 downloads, had the modules as well. In addition, another separate version of the app was available in July on the marketplace before it was removed.
While the number of daily users playing Pokémon GO, an augmented reality game that dominated phones and headlines earlier this summer, have slipped a bit, the app still boasts an audience of millions.
Shortly after Niantic, the company who developed the game, released it in early July, a phony version of the app surfaced on a malicious file repository. If installed, that app ultimately installed a backdoored version of the game on Android devices.
Last month, attackers began peddling Pokémon GO themed ransomware and SMS spam messages to entice would-be Pokémon trainers. The messages, which were sent to North American users, tried to trick Pokémon GO fans into giving away their login credentials, a/k/a their Google emails and passwords, and going to sites laden with spam.