Android devices are now the targets by a whole new level with a type of malware which secretly purchases and downloads applications from Google Play Store, and it is also capable of stealing information, such like the configured Google account.
Codenamed Skyfin, new infection reaches Android devices by using the the help of a different malware known as Android.DownLoader. This usually spreads as part of applications posted in third-party stores. To simply put, users who are downloading apps from an store than Google’s are exposed to these attacks, so they should double-check each APK to make sure it’s not infected.
Security company Dr Web says Skyfire can compromise the Google Play Store process to automatically download apps on users’ devices. These apps are not installed, though, but the file is stored in the downloads folder to make sure that the user does not notice any difference on their phones.
“It steals a mobile device’s unique ID and the account of the device’s owner which are used to interact with Google services; it also steals various internal authorization codes for connecting to the Google Play catalog as well as other confidential data. Then the module sends this data to the main component of Android.Skyfin.1.origin, after which the Trojan sends the data to the command and control server along with the device’s technical information,” the firm says.
The malware listens to a series of commands and can search the Google Play Store for a specific app, purchase it, accept terms of service should there be any, add reviews and rate apps.
It goes without saying that the app can be used by attackers to increase the popularity of certain Google Play applications without users even knowing that their devices are affected.
Furthermore, it turns out that Skyfin can even click on banner ads in apps, which means that authors can use them to generate revenue using compromised devices.