Trojan, disguised as a guide application for Pokémon Go for Android, was discovered by security experts from “Kaspersky Lab” in Google’s official Play Store. Without user’s knowledge, the malware could get a root access to the device and start to show its malicious advertisings to the victim. At the time of detection of the Trojan it has been already downloaded from the store for more than 500 000 times and mainly infected users from Russia, India and Indonesia.
The fact that the attackers will exploit such trends as Pokemon Go was quite predictable. Discovered malware is just another proof that attackers are closely watching what is happening in the world and do not stop to take advantage of the hype around this or that trend. The researchers write that a Trojan, named HEUR: Trojan.AndroidOS.Ztorg.ad is disguised very well and that is why the threat was noticed too late. All of malware files were encrypted by commercial packer and unpacked they really contain useful materials related to Pokemon Go, which the Trojan used to maintain the “legend”. And only as small module with obfuscated code was responsible for malicious functions.
Once infected the device, the Trojan is not immediately performing malicious actions. Firstly malware verifies that it is not running on a virtual machine and waits for the user to install or uninstall any application, to make sure that everything is in order. Only after this, Trojan contacts the management server, sending the operators a data about the infected device which includes operating system version, default language, as well as the country in which the device is located. The answer, received from the server, was coming in JSON-file format, containing multiple links, by clicking on which, the malware would start downloading on the infected device additional files. These files are the real weapon of Trojan, since they contain exploits for various vulnerabilities in Android, mostly found in 2012-2015. So, one of the exploits was developed by Hacking Team and slipped into the Internet as a result of last year’s hack of the company. Armed, Trojan finally could pass to the active phase of the attack, receive a super user rights and then install additional applications and display the advertisements to the victim.
The experts write that while the Trojan operators primarily monetized their business through advertising and didn’t distribute additional malware. But there is no guarantee that tomorrow they will not want more money and begin to spread the same malware more dangerous things, for example ransomware or bank Trojans.