Fake ?Google Play App Steals Private Information

http://i1-news.softpedia-static.com/images/news-700/Fake-Google-Play-App-Steals-Private-Information.jpghttp://www.softpedia.com/base_img/tb_zoom.gif - Fake app launches five services
A new threat for Android devices emerges, as researchers have found a Google Play clone that can send text messages, signature certificates, and bank passwords to Gmail accounts.

FireEye researchers Jinjian Zhai and Jimmy Su analyzed the behavior of the app and determined that the attacker uses a dynamic DNS server with the Gmail SSL protocol in order to exfiltrate the collected data.

Once started, the fake app, called “googl app stoy,” requests administrator privileges and, instead of an interface, launches error messages and informs the user that it has been deleted and that “googl app stoy” activity has stopped.

Upon closer inspection, only its icon is removed, as the app is still active in the background and launches a set of five services. It is present in the list of apps currently running on the device and it cannot be removed or uninstalled.

This is of particular importance because users have to launch it only once for it to become active and traces of suspicious activity can remain undetected, since the legitimate Google Play icon is still in place. 

It appears that the targeted victims are Korean, as the error message presented in the infected device is in Korean.

The malicious program appears to hide the malware component through compression and encryption. FireEye researches managed to decrypt it and reached the conclusion that the details targeted by the cybercriminals are short text messages, signature certificates, and bank account passwords.

By capturing the network traffic generated by the threat, the two researchers could ascertain that signature certificates and keys were sent to the domain “dhfjhewjhsldie.xicp.net.” Full Article