• Latest
  • All
  • How To
Android-Malware

Legitimate Looking Multi-Stage Malware Make Their Way into Google Play Store

November 20, 2017
kenya-parliament

Parliament Invites Public Feedback on Virtual Asset Bill 2025

May 30, 2025
ConnectedAfrica2025(Day4)-meta-foondamate

Connected Africa 2025 Day 4: FoondaMate and Meta Team Up to Bring AI to Classrooms

May 29, 2025
google-veo-3

Actors and Film Crews Are Worried About Veo 3 Taking Their Jobs

May 29, 2025
iOS 26

Apple Plans Big Rename for iOS and macOS at WWDC 2025

May 29, 2025
DHgate Tablet Cases deals
University student fined for defamatory Facebook posts

University Student Fined KES 7.5 Million for Defamatory Facebook Posts

May 29, 2025
AI Africa policies database

New Platform Brings All African AI Policies Under One Database

May 28, 2025
POATE 2025

Kenya’s Tourism Sector Grows as Travel Gets Easier Across East Africa

May 28, 2025
sodium-ion battery

Researchers Develop Sodium-Ion Battery That Charges to 80% in 6 Minutes

May 27, 2025
TV Gambling Ads

Regulator Fines Stations Using Religious Shows to Push Gambling

May 27, 2025
Connected Africa Summit 2025

Connected Africa 2025 Day 2: Focus on Digital Inclusion & Cybersecurity

May 27, 2025
whatsapp chatbots

iPad Users May Finally Get a Native WhatsApp App

May 28, 2025
Connected Africa Summit

Connected Africa Summit Calls for Unified Tech Vision

May 28, 2025
Techweez | Tech News, Reviews, Deals, Tips and How To
  • News
  • Entertainment
  • Reviews
  • Features
  • Editorial
No Result
View All Result
Techweez | Tech News, Reviews, Deals, Tips and How To
  • News
  • Entertainment
  • Reviews
  • Features
  • Editorial
No Result
View All Result
Techweez | Tech News, Reviews, Deals, Tips and How To
No Result
View All Result

Legitimate Looking Multi-Stage Malware Make Their Way into Google Play Store

Saruni Maina by Saruni Maina
November 20, 2017
in News
Reading Time: 3 mins read
259
0
Android-Malware

ESETAndroid-Malware-2 has discovered another set of malicious apps in the official Android app store, detected by ESET security systems as Android/TrojanDropper.Agent.BKY, the eight apps form a new family of legitimate-looking, multi-stage Android malware and with delayed onset of malicious activity.

Luckily, by the time ESET was making this discovery, none of the apps had reached more than a few hundred downloads.

These apps all employed a multi-stage architecture and encryption to stay under the radar. After being downloaded and installed, the apps would not request any suspicious permissions and would even mimic the activity the user expects them to exhibit.

Along with this, the malicious app also decrypts and executes its first-stage payload which in turn decrypts and executes the second-stage payload, which was then stored in the assets of the initial app downloaded from Google Play. The steps remained invisible to the user.

Execution model of Android/TrojanDropper.Agent.BKY

 

The second-stage payload contained a hardcoded URL, from which it downloaded another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user was then prompted to install the downloaded app.

The app downloaded by the second-stage payload, disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example, “Android Update” or “Adobe Update”. In any case, the app’s purpose was to drop the final payload and obtain all the permissions that payload needed for its malicious actions.

Installation request for the third-stage payload

Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypted and executed the fourth-stage – and final – payload.

In all the cases investigated by ESET, the final payload was a mobile banking trojan. Once installed, it behaved like a typical malicious app of this kind: with potential to present the user with fake login forms to steal credentials or credit card details.

One of the malicious apps downloaded its final payload using the bit.ly URL shortener. Thanks to this, ESET was able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.

Two of most recent samples of Android/TrojanDropper.Agent.BKY were caught downloading either MazarBot, a notorious banking trojan, or spyware. Given its nature, this downloader can deliver any payload of the criminals’ choice as long as it doesn’t get flagged by the Google Protect mechanism.

Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.

ESET has since notified Google’s security team about the issue. Google has removed all eight apps from its store.

How to get rid of it

Six of the multi-stage downloaders discovered on Google Play

If you’ve downloaded any of these apps, you need to:

  1. Deactivate admin rights for the maliciously installed app
  2. Uninstall this app
  3. Uninstall the app you downloaded from the Play Store

To deactivate admin rights for the  maliciously installed app (payload), go to
Settings > (General) > Security > Device administrators
and search for Adobe Flash Player, Adobe Update or Android Update.

To uninstall the installed payload, go to
Settings > (General) > Application manager/Apps
and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.

To uninstall the malicious app downloaded from the Play store, go to
Settings > (General) > Application manager/Apps
and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO,

Note that the settings structure may vary slightly depending on your Android version.

 

Tags: AndroidMalware
SendShare147Tweet92
Saruni Maina

Saruni Maina

I Google Bing until it Yahoos! | Email: [email protected]

Related Posts

Google I/O 2025

Google I/O 2025 Highlights: Gemini, XR Glasses & Project Astra

May 21, 2025
Google I/O 2025

Google I/O 2025: Android 16, Gemini AI, and the Future of Smart Devices

May 20, 2025
samsung one ui 8

Is Your Samsung Phone Too Old for One UI 8 Update?

May 17, 2025
Advanced Protection feature

Google Expands Advanced Protection in Android 16 to Tackle Spyware Threats

May 17, 2025
Google keep

You Can Now Bold and Format Text in Google Keep on the Web

May 13, 2025
Google messages

Google Messages Rolls Out New Features Including Delete for Everyone

May 12, 2025

Latest

kenya-parliament

Parliament Invites Public Feedback on Virtual Asset Bill 2025

May 30, 2025
ConnectedAfrica2025(Day4)-meta-foondamate

Connected Africa 2025 Day 4: FoondaMate and Meta Team Up to Bring AI to Classrooms

May 29, 2025
google-veo-3

Actors and Film Crews Are Worried About Veo 3 Taking Their Jobs

May 29, 2025
iOS 26

Apple Plans Big Rename for iOS and macOS at WWDC 2025

May 29, 2025
University student fined for defamatory Facebook posts

University Student Fined KES 7.5 Million for Defamatory Facebook Posts

May 29, 2025
AI Africa policies database

New Platform Brings All African AI Policies Under One Database

May 28, 2025

Best devices

budget smartwatches 2025

Best Budget Smartwatches To Buy in Kenya 2025

February 13, 2025

Best Infinix Smartphones To Buy in Kenya 2024

February 13, 2025

Best Laptops for Battery Life in 2024

August 21, 2024

Best “Battery Warrior” Smartphones To Buy in 2024

August 22, 2024

Parliament Invites Public Feedback on Virtual Asset Bill 2025

May 30, 2025

Connected Africa 2025 Day 4: FoondaMate and Meta Team Up to Bring AI to Classrooms

May 29, 2025

Techweez is a fast growing influential source of technology news, reviews and analysis by leading tech geeks in the industry.

Follow Us

Editorials

Actors and Film Crews Are Worried About Veo 3 Taking Their Jobs

Samsung QLED TVs Now Officially Certified for Real Quantum Dot Technology

Trump’s Tariffs Will Be the End of Affordable Tech

5 Ways to Prep Your Tech for Resale

The Weaponization of PDFs: How Cybercriminals Are Exploiting a Trusted Format

Introducing A Brainbox Quiz: Techweez’s Monthly Trivia Night!

More News

Kenya’s Tourism Sector Grows as Travel Gets Easier Across East Africa

Researchers Develop Sodium-Ion Battery That Charges to 80% in 6 Minutes

Regulator Fines Stations Using Religious Shows to Push Gambling

Connected Africa 2025 Day 2: Focus on Digital Inclusion & Cybersecurity

iPad Users May Finally Get a Native WhatsApp App

Connected Africa Summit Calls for Unified Tech Vision

  • Terms Of Use
  • Techweez Brand
  • Privacy & Policy
  • Contact Us

© 2024 Techweez - Palahala Media Group may earn a commission when you buy through links on our sites.
A Palahala Media Group Brand. All rights reserved.
.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Techweez | Tech News, Reviews, Deals, Tips and How To
Crunchy Cookies 🍪 Ahead!

Hey there! Just a heads-up: we're big fans of cookies - both the digital and edible kind! 🍪 We use our cookies and some from third parties to ensure your browsing experience on our site is smooth sailing and secure.

 

But wait, there's more! We also use cookies to gather stats and insights on how you navigate our site. It's like getting a behind-the-scenes peek at your digital adventures!

 

Don't worry, you're in control. You can adjust your cookie settings anytime to suit your preferences. Feeling curious? Dive into our Privacy Policy for all the juicy details. Happy browsing! 🚀

Functional Always active
Listen, this legal stuff is about as exciting as watching paint dry. But it basically says we only use your stuff for what you asked us to do, and nobody else gets to peek!
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
It's those sneaky cookie crumbs websites leave behind to count visitors, like counting ants at a picnic! Totally harmless, just for fun facts. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
Hey there! Just letting you know we use some fancy gizmos to remember your preferences. This way, we can show you ads that are, well, not completely bananas.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Make cookies
{title} {title} {title}
Techweez | Tech News, Reviews, Deals, Tips and How To
Crunchy Cookies 🍪 Ahead!
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
Listen, this legal stuff is about as exciting as watching paint dry. But it basically says we only use your stuff for what you asked us to do, and nobody else gets to peek!
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
It's those sneaky cookie crumbs websites leave behind to count visitors, like counting ants at a picnic! Totally harmless, just for fun facts. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
Hey there! Just letting you know we use some fancy gizmos to remember your preferences. This way, we can show you ads that are, well, not completely bananas.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Make cookies
{title} {title} {title}
No Result
View All Result
  • News
  • Reviews
  • Features
  • Editorial
  • Automotive
  • Entertainment

© 2024 Techweez - Palahala Media Group may earn a commission when you buy through links on our sites.
A Palahala Media Group Brand. All rights reserved.
.