Kaspersky Lab researchers have found a new Android Trojan, Guerilla that behaves like a human to get past protections on the Google Play Store.
After landing on the Google Play, a malicious application gains access to a wide audience gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile where users cannot install applications from any other source other than the official store, this Trojan lands as an app after passing a rigorous check for anti-Fraud protection mechanisms.
Guerilla, which downloads and installs apps and leaves fake comments and ratings on the store, uses a rogue client application to fool Google's anti-fraud technologies. This fake app allows attackers to conduct shady advertisement campaigns using infected devices to download, install, rate and comment on the mobile applications published on Google Play.
The malware capable of only abusing Google Play mechanisms from rooted devices aims to boost legitimate apps by increasing their download rates and posting positive reviews on Google Play.
Lately, many Trojans have been seen using the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps. The apps installed do not cause direct damage but the victim may have to pay for excessive traffic. In addition, the Trojans may download and install paid apps as if they were free ones, adding to the users’ bills.
There are a number of ways of manipulating Google Play:
The first method involves using Trojan to launch the client, open the page of the required app in it, then search for and use the special code to interact with the interface elements (buttons) to cause download, installation and launch of the application.
In this process, operating system’s accessibility services are used which is followed by an imitation of user input and then a code is injected into the process of Google Play client to modify its operation.
Some malware writers create their own client for the app store using HTTPS API but this process requires user credentials and authentication tokens which are not available to a regular app but the cybercriminals extract this information from the data stored on the device in clear text in SQLite format.
For example, client downloads and installs free and paid apps of Guerilla and rates and comments for the app in Play store, then the Trojan starts to collect information like credentials to the user’s Google Play account, Android id, Google service framework ID, Google advertising ID and hashed data about the device. The Trojan downloads the application by sending POST requests.
The Trojans that use the Google Play app to download, install and launch apps from the store are distributed by rooters due to which they launch attacks on the Google Play client app.
This type of malicious program poses a serious threat as rooters download malicious programs that compromise the android ecosystem and spend user’s money on paid apps and download other malware as well.