You are currently viewing New Android Malware: Trojanized Games Hide Malicious Code Inside Images

New Android Malware: Trojanized Games Hide Malicious Code Inside Images

A new Android malware has been detected in the Android games. Nearly 60 Android games hosted on Google Play had a Trojan-like functionality which enabled them to download and execute malicious code hidden inside the images.

Before a year or so, researchers demonstrated a technique which is supposed to be the inspiration behind the attack.
The malware has been found out by the researchers from a Russian antivirus vendor and were reported to Google last week, as they found out the new threat Android.Xiny.19.origin.

These types of malicious Android apps were a noteworthy occurrence on Google Play until a few years ago when Google executed more rigorous checks. It has an automated scanner in it called Bouncer that used emulation and behavior-based detection.

Bypassing detection is not impossible, but is hard enough to keep most malware creators away. Most Android Trojans these days are distributed through third-party app stores, targeting users who have enabled the installation of apps from “unknown sources.”

The makers of Android.Xiny.19.origin, looks like more determined, because their trojanized games are functional, but at the same time, in the background they collect identifying information from proposed devices.

The information getting stole includes, the phone’s unique IMEI and IMSI identifiers, MAC address, mobile operator, country and language settings, operating system versions etc.

Hackers can also instruct the apps to display advertisements, to silently install or delete apps if root access is enabled on the phone and to launch APKs (Android application packages) generally hidden inside images.

The functionality, which uses steganography, is the most dangerous feature of the malware which makes it harder to detect the malicious code.

Once, a specially crafted image is downloaded from the command-and-control server, the Trojan extracts an APK from it by using a special algorithm. After that, it loads the malicious code in the device’s memory by using the DexClassLoader Android function.