• Latest
  • All
  • How To
Android-Malware

Legitimate Looking Multi-Stage Malware Make Their Way into Google Play Store

November 20, 2017
Why Can'y You Register a Safaricom SIM Card After 7 PM

Why You Cannot Register a Safaricom SIM Card After 7 PM

July 10, 2025
Former Safaricom Chief Enterprise Business Officer, Cynthia Karuri-Kropac

Frankline Okata Takes Over as Cynthia Karuri-Kropac Exits Safaricom PLC

July 10, 2025
AI

OpenAI and Perplexity Launch Browsers to Rival Google Chrome

July 10, 2025
Vivo-Y29-4G

Vivo Y29 Launches in Kenya at KES 23,999

July 10, 2025
DHgate Tablet Cases deals
galaxy z fold7-galaxy z flip7-samsung

Samsung Unveils Galaxy Z Fold7 and Z Flip7 with Bigger Screens

July 10, 2025
GTA VI

Rockstar May Be Testing 96-Player Servers for GTA 6

July 10, 2025
Former X CEO, Linda Yaccarino

Linda Yaccarino Steps Down as CEO of X After Two Years

July 9, 2025
Apple-WWDC25-iOS-26

iPhone Users Are Not Too Happy With the iOS 26 Liquid Glass Design

July 9, 2025
Official document handover by Bernard Mwonyonyo and Habib Lukaya from Roam.

E-Mobility in Kenya Gets a Lift with New Bike Financing Program

July 9, 2025
Samsung

This Samsung Security Update Could Change How You Use Your Phone

July 9, 2025
tecno ultimate g fold concept

TECNO Joins Tri-Fold Race With Ultimate G Fold Concept Phone

July 10, 2025
Microsoft Edge browser

Microsoft Makes Edge 40% Faster in a Bid to Lure Chrome Users

July 8, 2025
Techweez | Tech News, Reviews, Deals, Tips and How To
  • News
  • Entertainment
  • Reviews
  • Features
  • Editorial
No Result
View All Result
Techweez | Tech News, Reviews, Deals, Tips and How To
  • News
  • Entertainment
  • Reviews
  • Features
  • Editorial
No Result
View All Result
Techweez | Tech News, Reviews, Deals, Tips and How To
No Result
View All Result

Legitimate Looking Multi-Stage Malware Make Their Way into Google Play Store

Saruni Maina by Saruni Maina
November 20, 2017
in News
Reading Time: 3 mins read
259
0
Android-Malware

ESETAndroid-Malware-2 has discovered another set of malicious apps in the official Android app store, detected by ESET security systems as Android/TrojanDropper.Agent.BKY, the eight apps form a new family of legitimate-looking, multi-stage Android malware and with delayed onset of malicious activity.

Luckily, by the time ESET was making this discovery, none of the apps had reached more than a few hundred downloads.

These apps all employed a multi-stage architecture and encryption to stay under the radar. After being downloaded and installed, the apps would not request any suspicious permissions and would even mimic the activity the user expects them to exhibit.

Along with this, the malicious app also decrypts and executes its first-stage payload which in turn decrypts and executes the second-stage payload, which was then stored in the assets of the initial app downloaded from Google Play. The steps remained invisible to the user.

Execution model of Android/TrojanDropper.Agent.BKY

 

The second-stage payload contained a hardcoded URL, from which it downloaded another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user was then prompted to install the downloaded app.

The app downloaded by the second-stage payload, disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example, “Android Update” or “Adobe Update”. In any case, the app’s purpose was to drop the final payload and obtain all the permissions that payload needed for its malicious actions.

Installation request for the third-stage payload

Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypted and executed the fourth-stage – and final – payload.

In all the cases investigated by ESET, the final payload was a mobile banking trojan. Once installed, it behaved like a typical malicious app of this kind: with potential to present the user with fake login forms to steal credentials or credit card details.

One of the malicious apps downloaded its final payload using the bit.ly URL shortener. Thanks to this, ESET was able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.

Two of most recent samples of Android/TrojanDropper.Agent.BKY were caught downloading either MazarBot, a notorious banking trojan, or spyware. Given its nature, this downloader can deliver any payload of the criminals’ choice as long as it doesn’t get flagged by the Google Protect mechanism.

Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.

ESET has since notified Google’s security team about the issue. Google has removed all eight apps from its store.

How to get rid of it

Six of the multi-stage downloaders discovered on Google Play

If you’ve downloaded any of these apps, you need to:

  1. Deactivate admin rights for the maliciously installed app
  2. Uninstall this app
  3. Uninstall the app you downloaded from the Play Store

To deactivate admin rights for the  maliciously installed app (payload), go to
Settings > (General) > Security > Device administrators
and search for Adobe Flash Player, Adobe Update or Android Update.

To uninstall the installed payload, go to
Settings > (General) > Application manager/Apps
and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.

To uninstall the malicious app downloaded from the Play store, go to
Settings > (General) > Application manager/Apps
and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO,

Note that the settings structure may vary slightly depending on your Android version.

 

Tags: AndroidMalware
SendShare147Tweet92
Saruni Maina

Saruni Maina

I Google Bing until it Yahoos! | Email: [email protected]

Related Posts

Open TV

Open TV Brings Fast and Ad-Free IPTV to Android

July 7, 2025
DeepSeek_vs_ChatGPT

Hackers Build Malware That Tries to Reprogram AI Security Tools

July 1, 2025
How to Install a VPN and the Best Options in Kenya

How to Install a VPN and the Best Options in Kenya

June 27, 2025
How to Secure Your Phone and Yourself During Protests

How to Secure Your Phone (and Yourself) During Protests

June 25, 2025
Android 16

Google Releases Android 16 Early with Powerful New Tools

June 11, 2025
google-ai-edge-gallery

New Google App Lets You Use AI Offline on Android

June 5, 2025

Latest

Why Can'y You Register a Safaricom SIM Card After 7 PM

Why You Cannot Register a Safaricom SIM Card After 7 PM

July 10, 2025
Former Safaricom Chief Enterprise Business Officer, Cynthia Karuri-Kropac

Frankline Okata Takes Over as Cynthia Karuri-Kropac Exits Safaricom PLC

July 10, 2025
AI

OpenAI and Perplexity Launch Browsers to Rival Google Chrome

July 10, 2025
Vivo-Y29-4G

Vivo Y29 Launches in Kenya at KES 23,999

July 10, 2025
galaxy z fold7-galaxy z flip7-samsung

Samsung Unveils Galaxy Z Fold7 and Z Flip7 with Bigger Screens

July 10, 2025
GTA VI

Rockstar May Be Testing 96-Player Servers for GTA 6

July 10, 2025

Best devices

budget smartwatches 2025

Best Budget Smartwatches To Buy in Kenya 2025

February 13, 2025

Best Infinix Smartphones To Buy in Kenya 2024

February 13, 2025

Best Laptops for Battery Life in 2024

August 21, 2024

Best “Battery Warrior” Smartphones To Buy in 2024

August 22, 2024

Why You Cannot Register a Safaricom SIM Card After 7 PM

July 10, 2025

Frankline Okata Takes Over as Cynthia Karuri-Kropac Exits Safaricom PLC

July 10, 2025

Techweez is a fast growing influential source of technology news, reviews and analysis by leading tech geeks in the industry.

Follow Us

Editorials

Abductions and Arrests! Kenyan Government’s Fear and Hate of X Users Makes No Sense

Actors and Film Crews Are Worried About Veo 3 Taking Their Jobs

Samsung QLED TVs Now Officially Certified for Real Quantum Dot Technology

Trump’s Tariffs Will Be the End of Affordable Tech

5 Ways to Prep Your Tech for Resale

The Weaponization of PDFs: How Cybercriminals Are Exploiting a Trusted Format

More News

Linda Yaccarino Steps Down as CEO of X After Two Years

iPhone Users Are Not Too Happy With the iOS 26 Liquid Glass Design

E-Mobility in Kenya Gets a Lift with New Bike Financing Program

This Samsung Security Update Could Change How You Use Your Phone

TECNO Joins Tri-Fold Race With Ultimate G Fold Concept Phone

Microsoft Makes Edge 40% Faster in a Bid to Lure Chrome Users

  • Terms Of Use
  • Techweez Brand
  • Privacy & Policy
  • Contact Us

© 2024 Techweez - Palahala Media Group may earn a commission when you buy through links on our sites.
A Palahala Media Group Brand. All rights reserved.
.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Techweez | Tech News, Reviews, Deals, Tips and How To
Crunchy Cookies 🍪 Ahead!

Hey there! Just a heads-up: we're big fans of cookies - both the digital and edible kind! 🍪 We use our cookies and some from third parties to ensure your browsing experience on our site is smooth sailing and secure.

 

But wait, there's more! We also use cookies to gather stats and insights on how you navigate our site. It's like getting a behind-the-scenes peek at your digital adventures!

 

Don't worry, you're in control. You can adjust your cookie settings anytime to suit your preferences. Feeling curious? Dive into our Privacy Policy for all the juicy details. Happy browsing! 🚀

Functional Always active
Listen, this legal stuff is about as exciting as watching paint dry. But it basically says we only use your stuff for what you asked us to do, and nobody else gets to peek!
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
It's those sneaky cookie crumbs websites leave behind to count visitors, like counting ants at a picnic! Totally harmless, just for fun facts. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
Hey there! Just letting you know we use some fancy gizmos to remember your preferences. This way, we can show you ads that are, well, not completely bananas.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Make cookies
{title} {title} {title}
Techweez | Tech News, Reviews, Deals, Tips and How To
Crunchy Cookies 🍪 Ahead!
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
Listen, this legal stuff is about as exciting as watching paint dry. But it basically says we only use your stuff for what you asked us to do, and nobody else gets to peek!
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
It's those sneaky cookie crumbs websites leave behind to count visitors, like counting ants at a picnic! Totally harmless, just for fun facts. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
Hey there! Just letting you know we use some fancy gizmos to remember your preferences. This way, we can show you ads that are, well, not completely bananas.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Make cookies
{title} {title} {title}
No Result
View All Result
  • News
  • Reviews
  • Features
  • Editorial
  • Automotive
  • Entertainment

© 2024 Techweez - Palahala Media Group may earn a commission when you buy through links on our sites.
A Palahala Media Group Brand. All rights reserved.
.