• Latest
  • All
  • How To
Android-Malware

Legitimate Looking Multi-Stage Malware Make Their Way into Google Play Store

November 20, 2017
chatgpt

ChatGPT Record Mode Now Available on MacOS for Plus Users

July 17, 2025
Malware

Malware in Disguise: How Hackers Are Using DNS to Slip Past Defenses

July 17, 2025
samsung one ui 8

Samsung Retains Top Spot in Q2 Global Sales Despite Industry’s Slow Growth

July 17, 2025
Mercedes-Benz

Mercedes-Benz Brings Microsoft Teams Video Calls to Cars

July 17, 2025
DHgate Tablet Cases deals
Safaricom Home Fiber

Six-Year Flaw in the Safaricom Home Fiber System Finally Patched

July 17, 2025
Betting Selfie and ID rules

Betting Rules Now Require Selfie and ID to Prove Identity

July 17, 2025
DuckDuckGo

DuckDuckGo Outage Hits Millions of Users

July 16, 2025
Copilot Vision

Windows 11 Is Testing Full Desktop Sharing with Copilot Vision

July 16, 2025
Revealed: The Hidden Formula Behind Kenya Power Token Variations

Revealed: The Hidden Formula Behind Kenya Power Token Variations

July 16, 2025
Meta's Facebook

New Facebook Rules Will Penalize Reposts and Low-Effort Content

July 16, 2025
Bonga Points

Safaricom Suffers Court Setback Over Bonga Points Expiry Ban

July 15, 2025
tecno spark 40 pro plus

Pre-Orders Open for TECNO Spark 40 Pro on Jumia with Discount

July 15, 2025
Techweez | Tech News, Reviews, Deals, Tips and How To
  • News
  • Entertainment
  • Reviews
  • Features
  • Editorial
No Result
View All Result
Techweez | Tech News, Reviews, Deals, Tips and How To
  • News
  • Entertainment
  • Reviews
  • Features
  • Editorial
No Result
View All Result
Techweez | Tech News, Reviews, Deals, Tips and How To
No Result
View All Result

Legitimate Looking Multi-Stage Malware Make Their Way into Google Play Store

Saruni Maina by Saruni Maina
November 20, 2017
in News
Reading Time: 3 mins read
259
0
Android-Malware

ESETAndroid-Malware-2 has discovered another set of malicious apps in the official Android app store, detected by ESET security systems as Android/TrojanDropper.Agent.BKY, the eight apps form a new family of legitimate-looking, multi-stage Android malware and with delayed onset of malicious activity.

Luckily, by the time ESET was making this discovery, none of the apps had reached more than a few hundred downloads.

These apps all employed a multi-stage architecture and encryption to stay under the radar. After being downloaded and installed, the apps would not request any suspicious permissions and would even mimic the activity the user expects them to exhibit.

Along with this, the malicious app also decrypts and executes its first-stage payload which in turn decrypts and executes the second-stage payload, which was then stored in the assets of the initial app downloaded from Google Play. The steps remained invisible to the user.

Execution model of Android/TrojanDropper.Agent.BKY

 

The second-stage payload contained a hardcoded URL, from which it downloaded another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user was then prompted to install the downloaded app.

The app downloaded by the second-stage payload, disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example, “Android Update” or “Adobe Update”. In any case, the app’s purpose was to drop the final payload and obtain all the permissions that payload needed for its malicious actions.

Installation request for the third-stage payload

Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypted and executed the fourth-stage – and final – payload.

In all the cases investigated by ESET, the final payload was a mobile banking trojan. Once installed, it behaved like a typical malicious app of this kind: with potential to present the user with fake login forms to steal credentials or credit card details.

One of the malicious apps downloaded its final payload using the bit.ly URL shortener. Thanks to this, ESET was able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.

Two of most recent samples of Android/TrojanDropper.Agent.BKY were caught downloading either MazarBot, a notorious banking trojan, or spyware. Given its nature, this downloader can deliver any payload of the criminals’ choice as long as it doesn’t get flagged by the Google Protect mechanism.

Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.

ESET has since notified Google’s security team about the issue. Google has removed all eight apps from its store.

How to get rid of it

Six of the multi-stage downloaders discovered on Google Play

If you’ve downloaded any of these apps, you need to:

  1. Deactivate admin rights for the maliciously installed app
  2. Uninstall this app
  3. Uninstall the app you downloaded from the Play Store

To deactivate admin rights for the  maliciously installed app (payload), go to
Settings > (General) > Security > Device administrators
and search for Adobe Flash Player, Adobe Update or Android Update.

To uninstall the installed payload, go to
Settings > (General) > Application manager/Apps
and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.

To uninstall the malicious app downloaded from the Play store, go to
Settings > (General) > Application manager/Apps
and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO,

Note that the settings structure may vary slightly depending on your Android version.

 

Tags: AndroidMalware
SendShare147Tweet92
Saruni Maina

Saruni Maina

I Google Bing until it Yahoos! | Email: [email protected]

Related Posts

Malware

Malware in Disguise: How Hackers Are Using DNS to Slip Past Defenses

July 17, 2025
Android 16

Android 16 Will Clean Up Your Notifications with Smart AI Grouping

July 12, 2025
Android Canary release channel

Early Access Android Builds Arrive with Google’s Canary Channel

July 12, 2025
Open TV

Open TV Brings Fast and Ad-Free IPTV to Android

July 7, 2025
DeepSeek_vs_ChatGPT

Hackers Build Malware That Tries to Reprogram AI Security Tools

July 1, 2025
How to Install a VPN and the Best Options in Kenya

How to Install a VPN and the Best Options in Kenya

June 27, 2025

Latest

chatgpt

ChatGPT Record Mode Now Available on MacOS for Plus Users

July 17, 2025
Malware

Malware in Disguise: How Hackers Are Using DNS to Slip Past Defenses

July 17, 2025
samsung one ui 8

Samsung Retains Top Spot in Q2 Global Sales Despite Industry’s Slow Growth

July 17, 2025
Mercedes-Benz

Mercedes-Benz Brings Microsoft Teams Video Calls to Cars

July 17, 2025
Safaricom Home Fiber

Six-Year Flaw in the Safaricom Home Fiber System Finally Patched

July 17, 2025
Betting Selfie and ID rules

Betting Rules Now Require Selfie and ID to Prove Identity

July 17, 2025

Best devices

budget smartwatches 2025

Best Budget Smartwatches To Buy in Kenya 2025

February 13, 2025

Best Infinix Smartphones To Buy in Kenya 2024

February 13, 2025

Best Laptops for Battery Life in 2024

August 21, 2024

Best “Battery Warrior” Smartphones To Buy in 2024

August 22, 2024

ChatGPT Record Mode Now Available on MacOS for Plus Users

July 17, 2025

Malware in Disguise: How Hackers Are Using DNS to Slip Past Defenses

July 17, 2025

Techweez is a fast growing influential source of technology news, reviews and analysis by leading tech geeks in the industry.

Follow Us

Editorials

Abductions and Arrests! Kenyan Government’s Fear and Hate of X Users Makes No Sense

Actors and Film Crews Are Worried About Veo 3 Taking Their Jobs

Samsung QLED TVs Now Officially Certified for Real Quantum Dot Technology

Trump’s Tariffs Will Be the End of Affordable Tech

5 Ways to Prep Your Tech for Resale

The Weaponization of PDFs: How Cybercriminals Are Exploiting a Trusted Format

More News

DuckDuckGo Outage Hits Millions of Users

Windows 11 Is Testing Full Desktop Sharing with Copilot Vision

Revealed: The Hidden Formula Behind Kenya Power Token Variations

New Facebook Rules Will Penalize Reposts and Low-Effort Content

Safaricom Suffers Court Setback Over Bonga Points Expiry Ban

Pre-Orders Open for TECNO Spark 40 Pro on Jumia with Discount

  • Terms Of Use
  • Techweez Brand
  • Privacy & Policy
  • Contact Us

© 2024 Techweez - Palahala Media Group may earn a commission when you buy through links on our sites.
A Palahala Media Group Brand. All rights reserved.
.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Techweez | Tech News, Reviews, Deals, Tips and How To
Crunchy Cookies 🍪 Ahead!

Hey there! Just a heads-up: we're big fans of cookies - both the digital and edible kind! 🍪 We use our cookies and some from third parties to ensure your browsing experience on our site is smooth sailing and secure.

 

But wait, there's more! We also use cookies to gather stats and insights on how you navigate our site. It's like getting a behind-the-scenes peek at your digital adventures!

 

Don't worry, you're in control. You can adjust your cookie settings anytime to suit your preferences. Feeling curious? Dive into our Privacy Policy for all the juicy details. Happy browsing! 🚀

Functional Always active
Listen, this legal stuff is about as exciting as watching paint dry. But it basically says we only use your stuff for what you asked us to do, and nobody else gets to peek!
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
It's those sneaky cookie crumbs websites leave behind to count visitors, like counting ants at a picnic! Totally harmless, just for fun facts. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
Hey there! Just letting you know we use some fancy gizmos to remember your preferences. This way, we can show you ads that are, well, not completely bananas.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Make cookies
{title} {title} {title}
Techweez | Tech News, Reviews, Deals, Tips and How To
Crunchy Cookies 🍪 Ahead!
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
Listen, this legal stuff is about as exciting as watching paint dry. But it basically says we only use your stuff for what you asked us to do, and nobody else gets to peek!
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
It's those sneaky cookie crumbs websites leave behind to count visitors, like counting ants at a picnic! Totally harmless, just for fun facts. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
Hey there! Just letting you know we use some fancy gizmos to remember your preferences. This way, we can show you ads that are, well, not completely bananas.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Make cookies
{title} {title} {title}
No Result
View All Result
  • News
  • Reviews
  • Features
  • Editorial
  • Automotive
  • Entertainment

© 2024 Techweez - Palahala Media Group may earn a commission when you buy through links on our sites.
A Palahala Media Group Brand. All rights reserved.
.