Kaspersky Lab experts have discovered an Android trojan called Guerilla, which attempts to overcome the Google Play Store anti-fraud protection mechanisms.
Itusesa rogue Google Play client application that behaves as if there was a real human behind it. This fake app allows attackers to conduct shady advertisement campaigns using infected devices to download, install, rate and comment on the mobile applications published on Google Play.
The malware is only capable of abusing Google Play mechanisms from rooted devices.
As a platform for millions of users and software developers, Google Play is an attractive target for cybercriminals. Among other things, cybercriminals use the Google Play Store to conduct so-called Shuabang campaigns, which are widespread in China.
These are fraudulent advertisement activities aimed at promoting some legitimate apps by granting them the highest rates, increasing their download rates and posting positive comments about them on Google Play.
The apps used to conduct these advertisement campaigns usually do not pose any standard threat to the owner of an infected device, such as data or money stealing, but they can still do harm: the ability to download additional apps on the infected device results in extra charges for mobile Internet traffic, and in some cases Shabang apps are capable of covertly installing paid programs, along with free ones; using the bank card attached to the victim's Google Play account as the payment method.
To conduct these campaigns, criminals create multiple fake Google Play accounts or infect user devices with special malware, which covertly performs actions on Google Play, based on the commands received from hackers.
More From This Section
Although Google has strong protection mechanisms, which help detect and block fake users to prevent fraudulent operations, the authors of the Guerilla trojan seem to be trying to overcome them.
The trojan is delivered to the targeted device through Leech rootkit a malware that gives an attacker user privileges over the infected device. These privileges give the attacker unlimited opportunities to manipulate the data on the device.
Among other things it gives them access to the victim's username, passwords, and authentication tokens, which are mandatory for an app to communicate with official Google services, and are inaccessible to ordinary applications on non-rooted devices.
After installation, the Guerilla trojan uses this data to communicate with the Google Play Store as if it was real Google Play app.
The criminals are very cautious: they are careful enough to use the authentication data of a real user, and they also make requests from the fake client application, to Google Play,look exactly like requests that the real app would issue.
Another unusual thing about this trojan is that malware writers have tried to mimic the way an actual user interacts with the store. For instance, before it requests a page where a particular app is hosted, it searches for an app of interest, like a human would, should they need to find an app.
"Guerilla is not the first malicious app that tries to manipulate the Google Play store, but it does it in a pretty sophisticated way, that we haven't seen before. The thinking behind this method is clear: Google can probably easily distinguish requests to Google Play that were made by robots most of the Shuabang malware we know about just automatically sends out requests for the particular page of a particular app," said Security Expert at Kaspersky Lab, Nikita Buchka.
Disclaimer: No Business Standard Journalist was involved in creation of this content