A malicious Android app, available until recently in the Google Play store and capable of seizing root access rights on users’ phones, has been downloaded more than half a million times, according to security researchers.
The app, called “Guide for Pokémon Go”, can be used by attackers to install/uninstall apps and display unsolicited advertisements.
At least 6 000 successful infections have taken place, according to experts from Russian security firm Kaspersky Lab. The company has reported the Trojan to Google and the app has been removed from the store.
“The global phenomenon of Pokémon Go has resulted in a growing number of related apps and, inevitably, increased interest from the cyber criminal community,” said Kaspersky in a statement.
The latest Trojan has malicious code that downloads rooting malware, securing access to the core Android operating system.
“The Trojan includes some interesting features that help it to bypass detection. For example, it doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine,” Kaspersky said.
“If it’s dealing with a device, the Trojan will wait a further two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.
“This approach means that the control server can stop the attack from proceeding if it wants to, skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.”
Researchers have tracked at least nine other apps infected with the same Trojan and available on Google Play Store at different times since December 2015. — (c) 2016 NewsCentral Media