Trojans in games for Android: 4.5 million users affected. Do you know something?
The component should offer a chat service, but in reality it is a malware used to display advertisements. And many apps are still on Google Play …
Why waste time making a malicious app when you can get a better result by infecting apps with development software?
From the parts of Ya Ya Yun they thought well to embrace this philosophy and insert a trojan in their Software Development Kit (SDK) used by many developers of video games for Android. Result: 4.5 million Android users found themselves with an adware installed on their smartphone.
Thanks to this distribution technique, in fact, the trojan ended up (at least) 27 applications hosted on Google Play.
Here is the complete list of the infected apps identified by Dr.Web. We only hope that the rumor spreads about the unreliability of the Ya Ya Yun Kit. Otherwise, we may find ourselves facing similar cases in the very near future.
Android games infected
According to Dr.Web researchers, who analyzed the spread of the baptized malware Android.RemoteCode.127.origin, the technique used was rather complex.
The apps developed with the Ya Ya Yun SDK appear to be “clean” at first glance, but when used they connect to a Command and Control server acting like a real trojan.
The curious element is that malware downloads additional components hidden within trivial images and does so according to a logic of “Chinese boxes”. Each additional module downloads another (the scheme illustrated by the researchers involves at least three steps) perhaps in an attempt to obscure the activity.
The ultimate goal, in any case, is to open Web pages and click on predefined links and banners in order to allow cyber criminals to collect advertising revenue related to the links in question.
Given the fact that malware is able to update itself, however, it is not excluded that its activity can also turn to more damaging operations.
The problem is that, as a result of a quick check, many of the infected apps have not been removed from Google Play and can be downloaded in the same versions that Dr.Web indicates as infected.