Security researchers have discovered a malicious app that not only targets Android users with unsolicited ads but also downloads and installs scores of online shopping apps on the device and leaves fake reviews on behalf of the user, all whilst hiding from the device owner.
In a report published by global cybersecurity and anti-virus brand Kaspersky Labs on Thursday, security researchers said they came across a malicious Trojan malware-laced app on the Google Play Store called Trojan-Dropper.AndroidOS.Shopper.a.
How does it operate?
The "Shopper" app tricks users into downloading it by disguising itself with a system icon and a ConfigAPKs name that bears a striking resemblance to the name of a legitimate Android application. Once it's installed on to an Android device, the malware gets to work, starting with harvesting device information such as country, network type, vendor, smartphone model, email address, IMEI, and IMSI.
The collected data is then relayed to the attackers' command-and-control servers which will send respond with a series of commands to be run on the targeted smartphone or tablet. The operators' then mobilise the Shopper.a Trojan to boost the ratings of other malicious apps on the Play Store and post fake reviews on behalf of the victims such as "very easy to use" and "love this app."
The malicious app also starts downloading apps from a third-party app marketplace and installs them on the device without the knowledge of the user. These include popular apps like Alibaba, Shein, MakeMyTrip, Hotstar, and others.
Master of Disguise
All this is done without the knowledge of the user using the app's "invisible window" by abusing the Accessibility Service, a known tactic used by Android malware to perform malicious activities without the consent or permission of the user.
"The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through Accessibility Service," Kaspersky Lab researcher Igor Golovin explained. "With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures."
The malware also disables the Google Play Protect mobile threat protection service, Google's built-in Android malware protection, so that it can go about its business without a hitch.
What can the "Shopper" malware do?
Depending on what commands it receives from its control center, the malicious Shopper.a can perform one or more of the following tasks:
- Open links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network).
- After a certain number of screen unlocks, hides itself from the apps menu.
- Check the availability of Accessibility Service rights and, if not granted, periodically issue a phishing request to the user to provide them.
- Disable Google Play Protect.
- Create shortcuts to advertised sites in the apps menu.
- Download apps from the third-party "market" Apkpure[.]com and install them.
- Open advertised apps on Google Play and "click" to install them.
- Replace shortcuts to installed apps with shortcuts to advertised sites.
- Post fake reviews supposedly from the Google Play user.
- Show ads when the screen is unlocked.
- Register users through their Google or Facebook accounts in several apps.