Beware! This malware can compromise your phone, steal banking credentials
What's the story
Security researchers have flagged a new trojan, one that "pretends" as 'Google Play Marketplace' and can easily compromise your Android device. The malware, officially dubbed 'GPlayed', allows an attacker to spy on your smartphone activity, take control of many of its features, and even harvest banking credentials. Here's what you should know about it.
The disguise
GPlayed disguising as Google's Marketplace
After discovering GPlayed in a public repository, researchers at Cisco Talos analyzed its code. On installing it, they found the malware aims to fool a user by disguising as 'Google Play Marketplace', with an icon remarkably similar to that of Google apps. Though most of us know Google's official app store is 'Play Store', the idea here, presumably, is to target the less-informed users.
The affect
Here's what GPlayed can do, if installed
GPlayed, as the researchers described, carries a number of destructive capabilities, including those of a typical banking and spying trojan. This means the malware, when installed, could give nearly full control of your device to an attacker. They could then use it to collect banking data, access SMS, contacts, location and other features of the device.
Information
Remote control of features
Not just this, the researchers also found GPlayed could be used to remotely control many of these features. For instance, the attacker could use it to lock your phone, wipe its data or make calls, launch apps.
Attack details
How an attack is carried out?
Once booted, GPlayed performs pre-defined actions like enabling Wi-Fi and connecting with a command and control (C2) server. Then, it establishes a base for device control by extracting information related to the device (phone number, model, IMEI, country) and registering its SMS handler. Finally, the user is prompted to provide (seemingly legitimate) access to settings and all critical features of the device.
Payment request
Permission approval will keep popping up
As the app runs a timer, the request for admin privileges and settings access will keep popping up from time to time, forcing the user to provide their approval. Following this, the app will open a Chrome-themed page and prompt the user to pay a certain amount for using Google services. The screen will be disabled unless the requested banking details are entered, exfiltrated.
Testing phase
Highly evolved design, but still in the making
The researchers said the trojan carries a highly-evolved, adaptable design, where the attacker can implement new plugins to make it more capable while running on the device. However, they have noted a number of signs suggesting it is still in the final stages of development. Still, considering the trojan's potential, they have submitted its details to major antivirus platforms, helping them take preventive actions.
Preventive steps
How to avoid such attacks?
The best way to avoid such malware is to install authorized apps from the official Play Store. Further, you could even get a mobile antivirus software to keep your phone cleaned all the time. Most antivirus companies that provide services for PC have a version for mobile too, including Avast, Kaspersky, Norton, and Quickheal. You can pick any of these.