Hidden Malicious Code Inside Images of Trojanized Android Games

Approximately 60 Android games had Trojan which are hosted on Google Play -like functionality that enabled them to download and execute malicious code which was hiding inside the images.

The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin.

Malicious Android apps were a common happening on Google Play prior a couple of years ago when Google imposed more rigorous checks. This comprises of an automated scanner called Bouncer that used emulation and behavior-based detection.

Escaping from Bouncer detection is not impossible, but to keep most malware creators away is really tough. These days, most Android Trojans are distributed through third-party app stores, targeting users who have enabled the installation of apps from “unknown sources.”

The authors of Android.Xiny.19.origin likely to have been more determined. Their trojanized games are functional, but in the background they gather identifying information from targeted devices. This information contains the phone’s unique IMEI and IMSI identifiers, MAC address, mobile operator, country and language settings, operating system versions and more.

The attackers can also command the apps to display advertisements, to silently install/delete apps if root access is enabled on the phone and to launch APKs (Android application packages) that are unseen inside images.

The latter functionality, which uses steganography, is the most interesting feature of the malware and it makes more difficult to detect the malicious code.

“Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly,” the Dr. Web researchers said. “Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images.”

After a specially crafted image is downloaded from the command-and-control server, the Trojan extracts an APK from it by using a special algorithm. It then loads the malicious code in the device’s memory by using the DexClassLoader Android function.

The attack is very familiar with a concept presented at the Black Hat Europe security conference on October 2014 by two researchers. They showed at the time that they could hide an APK inside an image file while keeping the image valid when opened. However, when applying a decryption algorithm to it, they could recover the APK. Furthermore, the researchers even mentioned that DexClassLoader can be used to dynamically load the APK into memory, exactly as Android.Xiny.19.origin does now.