Want to share with your friends too?

Science
13 Oct 2018

Beware! This malware can compromise your phone, steal banking credentials

Watch out for trojan masquerading as Google Play

Security researchers have flagged a new trojan, one that "pretends" as 'Google Play Marketplace' and can easily compromise your Android device.

The malware, officially dubbed 'GPlayed', allows an attacker to spy on your smartphone activity, take control of many of its features, and even harvest banking credentials.

Here's what you should know about it.

In context

Watch out for trojan masquerading as Google Play
GPlayed disguising as Google's Marketplace

The disguise

GPlayed disguising as Google's Marketplace

After discovering GPlayed in a public repository, researchers at Cisco Talos analyzed its code.

On installing it, they found the malware aims to fool a user by disguising as 'Google Play Marketplace', with an icon remarkably similar to that of Google apps.

Though most of us know Google's official app store is 'Play Store', the idea here, presumably, is to target the less-informed users.

The affect

Here's what GPlayed can do, if installed

GPlayed, as the researchers described, carries a number of destructive capabilities, including those of a typical banking and spying trojan.

This means the malware, when installed, could give nearly full control of your device to an attacker.

They could then use it to collect banking data, access SMS, contacts, location and other features of the device.

Love Tech news?

Stay updated with the latest happenings.

Notify Me

Remote control of features

Not just this, the researchers also found GPlayed could be used to remotely control many of these features. For instance, the attacker could use it to lock your phone, wipe its data or make calls, launch apps.

How an attack is carried out?

Attack details

How an attack is carried out?

Once booted, GPlayed performs pre-defined actions like enabling Wi-Fi and connecting with a command and control (C2) server.

Then, it establishes a base for device control by extracting information related to the device (phone number, model, IMEI, country) and registering its SMS handler.

Finally, the user is prompted to provide (seemingly legitimate) access to settings and all critical features of the device.

Payment request

Permission approval will keep popping up

As the app runs a timer, the request for admin privileges and settings access will keep popping up from time to time, forcing the user to provide their approval.

Following this, the app will open a Chrome-themed page and prompt the user to pay a certain amount for using Google services. The screen will be disabled unless the requested banking details are entered, exfiltrated.

Highly evolved design, but still in the making

Testing phase

Highly evolved design, but still in the making

The researchers said the trojan carries a highly-evolved, adaptable design, where the attacker can implement new plugins to make it more capable while running on the device.

However, they have noted a number of signs suggesting it is still in the final stages of development.

Still, considering the trojan's potential, they have submitted its details to major antivirus platforms, helping them take preventive actions.

Preventive steps

How to avoid such attacks?

The best way to avoid such malware is to install authorized apps from the official Play Store.

Further, you could even get a mobile antivirus software to keep your phone cleaned all the time.

Most antivirus companies that provide services for PC have a version for mobile too, including Avast, Kaspersky, Norton, and Quickheal. You can pick any of these.

Ask NewsBytes
User Image

Next Timeline