Trojanized Android games hide malicious code inside images

The attack was likely inspired by a technique demonstrated by researchers over a year ago

Over 60 Android games hosted on Google Play had Trojan-like functionality that allowed them to download and execute malicious code hidden inside images.

The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin.

Malicious Android apps were a common occurrence on Google Play until a few years ago when Google implemented more rigorous checks. This included an automated scanner called Bouncer that used emulation and behavior-based detection.

Bypassing Bouncer detection is not impossible, but is hard enough to keep most malware creators away. Most Android Trojans these days are distributed through third-party app stores, targeting users who have enabled the installation of apps from "unknown sources."

The authors of Android.Xiny.19.origin seem to have been a bit more determined. Their trojanized games are functional, but in the background they collect identifying information from targeted devices.

This information includes the phone's unique IMEI and IMSI identifiers, MAC address, mobile operator, country and language settings, operating system versions and more.

The attackers can also instruct the apps to display advertisements, to silently install or delete apps if root access is enabled on the phone and to launch APKs (Android application packages) that are hidden inside images.

The latter functionality, which uses steganography, is the most interesting feature of the malware and makes it harder to detect the malicious code.

"Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly," the Dr. Web researchers said in a blog post. "Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images."

After a specially crafted image is downloaded from the command-and-control server, the Trojan extracts an APK from it by using a special algorithm. It then loads the malicious code in the device's memory by using the DexClassLoader Android function.

The attack is very similar to a concept presented at the Black Hat Europe security conference in October 2014 by researchers Axelle Apvrille and Ange Albertini.

The two researchers showed at the time that they could hide an APK inside an image file while keeping the image valid when opened. However, when applying a decryption algorithm to it, they could recover the APK. Furthermore, the researchers even mentioned that DexClassLoader can be used to dynamically load the APK into memory, exactly as Android.Xiny.19.origin does now.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleIMSI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place