A malicious Android application, disguised as a guide for the popular Pokemon Go game, is rooting victims` devices and silently installing unwanted apps and adware on them.
Dubbed Guide for Pokémon Go, the app somehow found its way to the official Google Play Store and more than 500,000 have downloaded it onto their smartphones. Moreover, the Kaspersky revealed that, according to telemetry data received from its security products, 6,000 users (at least) had their devices taken over by the malware`s developer.
In July, another version of the malicious app was uploaded on the Google Store, but it was quickly taken down. Also, the same posing-as-Pokemon-guide malware was found in 9 other applications, all uploaded under different names and at different times on the official Google Store.
The Trojan`s author is clearly aware of what is popular at a particular point in time and taking advantage of it.
Kaspersky revealed that most of these 9 other apps weren’t installed more than 10,000 times, but one app managed to get over 100,000 downloads.
The Trojan was detected by Kaspersky under the generic name of HEUR:Trojan.AndroidOS.Ztorg.ad. The security vendor said that the threat is very sophisticated and advanced, and it features more than one layer of defense, making the reverse engineering process extremely complicated. The app also uses a commercial packer, an application designed to scramble and hide code to prevent analysis by security researchers.
Once infected a smartphone, the Trojan doesn’t ping back its creators right away but it waits until the victims perform some actions. Instead, it waits 2 hours to be certain the smartphone is used by a real person and it is not running on an emulator or a virtual machine.
Only then it contacts the C&C server sending device details, to register the new victim, and then waits for commands. It executes a certain command only in the C&C has confirmed it twice, one more anti-analysis technique.
When the crook is ready to launch an attack it sends a JSON file with multiple links. The Trojan follows the links and downloads several files, containing various Android exploits capable of rooting the device and granting the attacker system-level access to the smartphone. These exploits are able to leverage various vulnerabilities, disclosed between 2012 and 2015, to root the device, including an exploit included in the HackingTeam data dump.
“Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long-term implications of infection could be far more sinister.” – says Roman Unuchek, Senior Malware Analyst at Kaspersky Lab – “Even though the app has now been removed from the store, there’re up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action.”