More than a million users have downloaded a particularly sneaky Android trojan that’s available on the official Google Play Store.
The Russian security firm Doctor Web found that the malware, known as Android.MulDrop.924, likes to disguise itself as games and other apps on Google Play Store and other app marketplaces.
One of its preferred masks is an app called “Multiple Accounts: 2 Accounts.” It allows users to set up multiple accounts for games, email, messaging, and other software on their devices.
The app hasn’t received too many bad reviews, either.
No doubt such a good reputation played a part in convincing at least one million users to download it.
The app, which is still available on Google Play, might appear to be benign in functionality. But it hides a dark secret.
Doctor Web explains more:
“The Trojan has a unique modular architecture. Part of its functionality is located in two auxiliary modules, which are encrypted and hidden inside a PNG image in the resource catalog of Android.MulDrop.924. Once launched, the Trojan extracts and copies these modules to its local directory in the section /data and then loads them into the memory.”
Let’s focus on the module “main.jar” in particular. It loads up several plug-ins designed to generate income.
One of those is the trojan Android.DownLoader.451.origin, which is like Android.Slicer.1.origin and Android.Spy.277.origin in that it covertly downloads applications and displays unwanted advertisements on the infected device.
But that’s not all main.jar can carry. Other versions of Android.MulDrop.924 came with Triada, a trojan which leverages exploits to achieve root privileges on the device.
This particular trojan goes to show just how difficult it is sometimes to avoid a malware infection. With that in mind, users should maintain an up-to-date anti-virus solution on their phones and download apps only from trusted developers on Google Play Store.
It’s not a foolproof anti-malware strategy, but it’s your best bet when trojans as clever as Android.MulDrop.924 are out there.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.