Warning: GTA, Super Mario on Google Play are Android malware

Warning: GTA, Super Mario on Google Play are Android malware

Summary: Cybercriminals have managed to sneak more malware into the official Google Play store, which was subsequently downloaded over 100,000 times over the span of a few weeks. While Google has removed the initial threats, a quick check shows that the search giant didn't do a very thorough clean up job.

SHARE:

Warning: GTA, Super Mario on Google Play is Android malware
A new piece of malware recently tried to make its way onto Android devices via the Google Play store. While Google has removed the initial threat, it appears that it didn't do a very thorough job.

Symantec, which first discovered the malware, detects it as Android.Dropdialer and describes it as "a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number." The Trojan poses as a wallpaper app, but it also installs an additional app which sends expensive international text messages to generate revenue for its creators. The security firm saw it posted as two popular titles: "Super Mario Bros." and "GTA 3 Moscow City."

The duo showed up on the official Google Play store on June 24 and managed to generate between 50,000 and 100,000 downloads. Both are disturbing statistics. Google didn't find the malware until Symantec pointed it out to the search giant, but not before tens of thousands of users downloaded it first.

What is even more worrying, however, is that F-Secure has found evidence Google did not clean its market very thoroughly. In less than 10 seconds, the security firm found more samples of the same malware, masquerading as: GTA 3: Las Vegas, Instagram After Effects, FIFA 11 Russian Edition, and Odnoklassniki Life. It would not surprise me in the slightest if more such apps were lurking in the store.

There are two things that make this malware variant particularly interesting. The two twists work in concert to trick the Android Security team and make it more difficult for security researchers to collect samples.

Symantec notes the Trojan in question uses a remote payload to avoid detection of anomalies during the automated QA screening process. The first stage is to post on Google Play, and once the app is installed on a victim's phone, it downloads an additional package, hosted on Dropbox, called "Activator.apk."

F-Secure notes that premium rate SMS numbers only work within a particular country. As such, whoever uploaded this malware made a point to make it "incompatible" outside of profitable telecom networks. This cleverly limits the malware to its target group.

It's one thing to see Android malware on third-party app stores but it's a completely different matter to see them sneak onto the official Google Play store. While users still need to be careful about what they download, I would say Google is more at fault here than anyone else.

See also:

Topics: Security, Android, Apps, Google, Malware, Mobile OS

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Windows Phone 7

    Glad I got a lumia device instead of this android security mess :)
    DJK2
  • Well, there's another myth blown out the window...

    "..you are safe from malware if you download only from trusted repositories.." - busted.

    So now we know that "trusted repositories" and "walled gardens" aren't 100% foolproof (or, apparently, even 50% foolproof) - even those run by the open-source coding geniuses at Google..

    Of course, again, all the fanatics will claim "this is a trojan - you should know better than to download trojans"..

    ..Riiiiiight... and so when that new version of Angry Birds becomes available on Google Play, how exactly are we to trust that what we're downloading is the actual game we want, and not some trojan put there with a pretty face.

    ..answer: we can't.

    I guess we're back to needing some other form of security on our devices. Either don't download ANYTHING other than what our telco provides on the phone, or run some kind of malware detection software (oh, I don't know, like a virus/trojan/whatever scanner - god forbid!)
    daftkey
    • yeah

      "So now we know that "trusted repositories" and "walled gardens" aren't 100% foolproof (or, apparently, even 50% foolproof)"

      Yeah none are secure, I got a fake spofity and a fake chrome app on my Nokia Lumia.

      I don't think these scares will affect Android, in the grand scheme the numbers are small, and look how the virus ridden windows dominated the market.
      DejaVu2
  • Im shocked, shocked I tell you, to hear of more malware in the android

    market. The fanbois say that if you only get stuff from the official google store youll be safe. Oh wait but google doesnt give a crap what gets put in their store. They dont even check it for malware before making it available for everyone to get pwnd.
    Johnny Vegas
    • The actual file from play store is safe

      Once that file is installed it downloads another .apk which is the payload or trojan..

      Not the same.
      Anthony E
      • Okay, maybe I don't follow...

        ..the "original" file that the user downloads is safe, but it downloads a file that is unsafe?

        Does the user have any reasonable "out" to prevent the second file from being downloaded, such that the first file could potentially be installed without danger from this trojan?

        If the answer is "no", then you're splitting hairs, and the "original" file is just as much a trojan as the "unsafe one" downloaded afterward.
        daftkey
        • Not really.

          Android gives you a option to only install apks from google play or install from anywhere.
          If only from google play is enabled and a person downloads the first file that have no infector code in it..
          Can that installed program install a apk from a 3rd party site if its set to only install from google play..
          Anthony E
      • Not much different than...

        the Charlie Miller proof of concept Apple App Store malware back in November, and Apple certainly took allot of heat for that.
        TroyMcClure
  • Just goes to show that Malware can be made for a platform

    If the malware writer thinks they can gain something from the users of that platform.

    Of course this being in the Google Play App store is sad because Google Should check these things. I would expect it from other sites but within Google Play? Epic Fail. I guess we should wait for SJVN to come and defend Google on this.
    bobiroc
  • Would the activator.apk file still install

    If you don't have the install from third party markets unchecked ??
    Anthony E
    • That's a Good Question

      That's a good question. Another question worth asking is, "Can the additional apk get installed without an additional OK from the user?" If you download one app and it asks for permission to install twice, that should be a red flag. Thus it's worth knowing the answer to both these questions.

      It looks like Google still needs to get a bit better at screening apps though.
      CFWhitman
  • can you check who's the developer?

    or can that be faked?
    i mean if its like super mario, then the developer has to be nintendo or its not official.
    rabbids-1d765
    • Would that still help with most games, though?

      Super Mario might be obvious to most people (Nintendo, or not), but what about other games that might be "developed" by one company and "published" by someone else? Or what about games jointly developed?

      Granted, we don't see many of those on smartphones right now, but as capabilities of the devices grow, I can imagine seeing a group of kids in a room playing the latest "Unreal Tournament 2015" on their Android devices. Do you think most kids know who the developer/publisher of all those games are? (here's a quick task - ask a few of the teenagers you see playing Angry Birds if they know offhand who publishes it - see how many know who Rovio is).
      daftkey
      • yes i agree,

        it doesn't help for the not so popular game developers. i don't know who made angry birds.. haha.
        but i was just wondering if the developer's name/website can be faked too. making it harder to judge whether the game is official and not malware.
        rabbids-1d765