Researchers spot trojan targeting dozens of Google Play games

Researchers have spotted the Android.Xiny.19.origin Trojan in more than 60 Google Play apps.
Researchers have spotted the Android.Xiny.19.origin Trojan in more than 60 Google Play apps.

Researchers at Dr. Web spotted the Android.Xiny.19.origin trojan incorporated into more than 60 games in the Google Play Store.

Once a device is infected, the trojan sends a victim's IMEI identifier, MAC address, version and current language of the operating system, and mobile network operator name, all at an attacker's will, according to a 28 Jan security post.

“The main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cyber-criminals' command,” researchers said in the post.

While it's not yet able to gain root privilege, the malware can prompt a user to install different software, researchers said.

The malware can also download a set of exploits from the server to gain root access to the device for covert installation or deletion of applications, according to the post.

Researchers said the trojan's author hid the malicious programme in specially created images known as steganography.

“Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly,” the post said.

The malicious games have reportedly been distributed through more than 30 developers, including Conexagon Studio, Fun Color Games, BILLAPPS.

Researchers said the malicious games appear normal and are playable “with just one difference—while a user is playing a game, the Trojan is performing its malicious activity.”

Researchers recommended that users don't download applications to any devices without antivirus software.

It is unclear how the malicious applications made it past Google's screening process. Google was notified of the malicious software but malicious apps are reportedly still in the store.

Google had not responded by press time to SCMagazine.com's request for comment.