Warning: GTA, Super Mario on Google Play are Android malware

Cybercriminals have managed to sneak more malware into the official Google Play store, which was subsequently downloaded over 100,000 times over the span of a few weeks. While Google has removed the initial threats, a quick check shows that the search giant didn't do a very thorough clean up job.
Written by Emil Protalinski, Contributor

Warning: GTA, Super Mario on Google Play is Android malware
A new piece of malware recently tried to make its way onto Android devices via the Google Play store. While Google has removed the initial threat, it appears that it didn't do a very thorough job.

Symantec, which first discovered the malware, detects it as Android.Dropdialer and describes it as "a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number." The Trojan poses as a wallpaper app, but it also installs an additional app which sends expensive international text messages to generate revenue for its creators. The security firm saw it posted as two popular titles: "Super Mario Bros." and "GTA 3 Moscow City."

The duo showed up on the official Google Play store on June 24 and managed to generate between 50,000 and 100,000 downloads. Both are disturbing statistics. Google didn't find the malware until Symantec pointed it out to the search giant, but not before tens of thousands of users downloaded it first.

What is even more worrying, however, is that F-Secure has found evidence Google did not clean its market very thoroughly. In less than 10 seconds, the security firm found more samples of the same malware, masquerading as: GTA 3: Las Vegas, Instagram After Effects, FIFA 11 Russian Edition, and Odnoklassniki Life. It would not surprise me in the slightest if more such apps were lurking in the store.

There are two things that make this malware variant particularly interesting. The two twists work in concert to trick the Android Security team and make it more difficult for security researchers to collect samples.

Symantec notes the Trojan in question uses a remote payload to avoid detection of anomalies during the automated QA screening process. The first stage is to post on Google Play, and once the app is installed on a victim's phone, it downloads an additional package, hosted on Dropbox, called "Activator.apk."

F-Secure notes that premium rate SMS numbers only work within a particular country. As such, whoever uploaded this malware made a point to make it "incompatible" outside of profitable telecom networks. This cleverly limits the malware to its target group.

It's one thing to see Android malware on third-party app stores but it's a completely different matter to see them sneak onto the official Google Play store. While users still need to be careful about what they download, I would say Google is more at fault here than anyone else.

See also:

Editorial standards