A new Trojan has been unmasked by researchers which pretends to be a Google service on infected Android devices.
The malware, dubbed "GPlayed," is a Trojan which labels itself "Google Play Marketplace" and uses a very similar icon to the standard Google Play app in order to dupe victims into believing the software is legitimate.
According to researchers from Cisco Talos, GPlayed is "extremely powerful" and its key strengths are flexibility and the ability to adapt after deployment.
The Trojan contains a number of interesting built-in capabilities. Written in .NET using the Xamarin mobile environment, GPlayed's main .DLL is called Reznov, which, in turn, contains a root class called "eClient."
The malware has been given a modular infrastructure which is able to remotely load plugins installed in real-time or when the malware is compiled and packaged.
"This means that the authors or the operators can add capabilities without the need to recompile and upgrade the Trojan package on the device," Talos says.
The Trojan's destructive capabilities are similar to other malware strains in the same class. GPlayed focuses on the theft of financial information alongside espionage and is able to harvest banking credentials, monitor device location, steal device data, log keys, and more.
Once an Android mobile device has been compromised, the Trojan will attempt to register the device with the malware's command-and-control (C2) server.
The malware will also exfiltrate private information at this point of the infection, including the handset's model, IMEI, phone number, registered country, and the version of Android in use.
GPlayed will also register the SMS handler in order to forward on any future message content and information relating to the sender to the C2.
The final stage of registration involves the Trojan requesting additional permissions for the purpose of privilege escalation.
GPlayed will not only request admin privileges but will also ask the user to allow the seemingly-legitimate app to access device settings.
The user can ignore these requests and close the window. However, the Trojan has an inbuilt timer which will continually bring the window back again, and again, until the user capitulates.
Once installed, the Trojan will wait for a time before activating eClient and a subclass called "GoogleCC." This opens a Google-themed web page on the device without user interaction which requests the user's payment information in order to use Google services.
The screen is locked until details are entered, checked, and confirmed as valid. A payment, configurable by the attacker, is also requested by the Trojan at this point of the attack.
If the victim enters their details, the information is whisked away to the C2 via HTTP. The stolen information is obfuscated through JSON and Base64 encoding.
Cisco Talos believes that the Trojan is in the final stages of testing. A number of strings and labels contain the word "test," and the only sample available of GPlayed was uncovered in a public repository.
The Trojan has also been submitted to public antivirus detection platforms.
"Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed," the researchers say. "Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one."