Posted By SYMANTEC
We have uncovered a new Android Trojan that uses several techniques to hide itself on devices, and remain in the Google Play Store. The malicious app collects device information and displays advertisements. However the functionality and behavior of this app could be easily extended to a wide range of other malicious purposes.
The malware (Android.Doublehidden) is localized in the Persian language. Its name translates to ‘Photograph by Fiery’and it has a package name of com.aseee.apptec.treeapp.
The pattern of availability of this malicious app on Google Play suggests the author is attempting to remain under the radar. During October and November 2017, the app has been updated five times, alternating between a working legitimate photo editing app, and this self-hiding malicious non-app. As far as we can tell, the app developer ‘i.r.r developer’ publishes several other apps which are legitimate.
The app presents itself as a photo editing app, but immediately dupes the user and hides itself on installation. On launch, the app asks the user for Device Administrator permissions—a well-used approach for malware to gain a strong foothold on the device. In the subsequent user interface (UI) screen, the app displays a message which roughly translates as: “Unfortunately, this app does not work on your phone. After exiting, the application will be deleted.”
Although the app closes, the malicious functionality is already in place.
The app hides itself on the device using the following techniques:
The app calls setComponentEnableSetting(). Once the app launches, it disappears from the app launcher (its icon no longer appears on the home screen).
The app leverages its position on the victim’s device to collect data and advertising revenue. The app collects user information to send to the malware authors. Google Cloud Messaging is used to push configuration information, including when to collect data and where to send it.
The malware may collect the following information:
If the user gave the malicious application the Device Administrator permission, it will be more difficult to remove.
The malware also requests and displays advertisements on the device including suggestions for additional applications by using the OneSignal notification network.
If the user gave the malicious application the Device Administrator permission, it will be more difficult to remove, as the user will have to disable ‘Device Administrator’ for the app in the app settings (and remember, this entry is a blank row) to actually uninstall it.
Symantec and Norton products detect this malware as:
Stay protected from mobile malware by taking these precautions:
Learn more about Symantec :