Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.
Google has removed from Google Play eight apps that have served as downloaders for Android banking malware.
Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.
Following the initial download, the app decrypted and executed a first stage payload, which then decrypted and executed a second-stage payload (stored in the assets of the initial app downloaded from Google Play), which then decrypted and executed a third-stage payload (a fake, malicious app) from a hardcoded URL.
Then there is a pause of 5 minutes, and the malicious app – “Adobe Update,” “Android Update,” or “Adobe Flash Player” – makes its move and asks the user to install it.
These permissions should be suspicious, as they will allow it – once a final, fourth payload is decrypted and executed – to perform malicious actions.