Trojan hides in Google Play games, uses steganography to find more malicious code to run

David bisson
David Bisson

Android malware uses steganographyResearchers have uncovered a new Android trojan that has targeted dozens of games in the official Google Play Store and which relies on steganography to dynamically run arbitrary APK files.

On Thursday, Russian anti-virus company Dr Web published a blog post about Android.Xiny.19.origin, malware which has incorporated itself into more than 60 Android-based games developed by Conexagon Studio, Fun Color Games, BILLAPPS, and some 30 other companies.

Though Dr Web has notified Google of the Trojan, many of the games remain active on the official Play Store as of this writing.

Infected android games

Sign up to our free newsletter.
Security news, advice, and tips.

The infection process begins as soon as the user begins playing the game, as Dr Web’s research team explains:

Android.Xiny.19.origin sends the following information on the affected device to the server: its IMEI identifier and MAC address, a version and a current language of the operating system, and mobile network operator name. What is more, cybercriminals get information about accessibility of a memory card, name of an application, which the Trojan is incorporated into, and whether this application is in the system folder.”

These capabilities notwithstanding, the trojan derives its true might from the ability to dynamically run arbitrary APK files. Android.Xiny.19.origin receives these malicious programs from seemingly benign image files that computer criminals have modified using steganography. A special algorithm helps the malware retrieve these files. It then loads it into the device’s RAM using the DexClassLoader class.


Besides running APK files, the Trojan can download applications and prompt the user to run malicious software as well as display annoying advertisements.

But it gets worse, explains Dr Web:

Android.Xiny.19.origin is not yet able to gain root privileges. However, given that the Trojan is mainly designed to install software, it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications.”

With this threat in mind, all Android users should think carefully before installing any application that might seem dubious.

This advice holds if the app is distributed via the official Google Play Store and especially if it is hosted on a third-party site. Installing an anti-virus solution on your mobile device can help spot unwelcome guests hiding in your new smartphone game.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

8 comments on “Trojan hides in Google Play games, uses steganography to find more malicious code to run”

  1. Simon Crawley

    Graham – Many thanks for once again bringing this news to our attention – I have a very little Face Book Group, only open to my family where I re post these sorts of things, along with my own researched items into mobile phone security. Unfortunately on this post you seem a little vague about the Apps concerned and/or the companies.

    I note that the original bloggers were also vague in this area. Do you have a definitive list of the apps involved – as if they are listed, people can check to see if they have them and remove them, but a vague warning of, be on the look out for sus apps isn't really any help.

    It is great for me that there is a reasonable level of detail on how the malware works as I am interested, but for most people they are not interested in this, they just want to know – 'Do I have any of the Apps or not?'

    The reason I set up my little group was because for this fact – security people love to go into detail on stuff that their primary audience doesn't care about and so risk losing or turning them off security advice. So I read these posts, and if required re write them in terms that the majority of phone users understand. A good few of your posts enter un-edited as you are often clear, but leaving out the one bit of info the user wants – which Apps are infected, and do I have any of them, isn't helpful.

    Sorry if I come across as negative and criticising – I am a subscriber of yours and advise others to follow you, but most just want to be told – don't get that App.

    1. Graham CluleyGraham Cluley · in reply to Simon Crawley

      Hi Simon

      To give him his rightful credit, it was actually David Bisson who wrote this article not me.

      I agree it's a shame that Dr Web hasn't been able to provide a list of precise game titles and developers that have been linked to the malware.

      Instead they have said a total of more than 60 games from 30-or-so developers are in the frame.

      Dr Web specifically mentions three developers (Conexagon Studio, Fun Color Games, and BILLAPPS) but clearly it would be good to know about more.

      It's easy to find out what apps the named developers have released (see for instance to see Conexagon Studio's apps — and you will find the likes of Crazy Bubble Shooting 2, Crazy Subway Rush 2, Modern Battle Sand Sniper 3D, Miami Top Drag Racing GT 2016 amongst others) but it's unclear whether *all* of the apps from these developers are dangerous.

      Also, it's possible that apps with the same names may be distributed, perfectly legitimately, by other developers.

      So, I'm sorry that it's not possible to be more specific at this time.

      Finally, it's worth bearing in mind that if the bad guys have managed to do it successfully with this many apps, without Google yet appearing to have taken any action, it's very possible that more apps might continue to be spread.

      Your best bet may continue to be to take care that you are downloading apps from trusted developers and running a security solution to protect your Android.

      1. Simon Crawley · in reply to Graham Cluley

        Graham – Thank you for your prompt and in depth reply.

  2. coyote

    'With this threat in mind, all Android users should think carefully before installing any application that might seem dubious.'

    Then again, it's more like you shouldn't install dubious applications unless you absolutely know what you're doing (maybe in an isolated sandbox ? or you know for sure what it is for some reason and/or you are actually testing it ?) and this always goes. And of course it goes for any platform and type of device.

    And you should always be thinking and always follow the best practises (including but not restricted to security).

    So maybe it is more like: this is a reminder to be careful and to always think. Perhaps I'm just too literal but it's still a good thing to keep in mind always.

  3. John

    The thing that gets me is, why do these smartphone companies deem it necessary to load a new phone with a bunch of useless aps that I will never use. All they do is eat up memory in the first place. I want to be able to choose what aps I really want. Who's to say if the pre-loaded junk isn't riddled with Trojans and spyware.

  4. moos mom

    have u ever entertained the idea that this problem may be an 'inside job' and thats why google hasn't taken any action.

  5. Matthew Parkes

    It obviously shows that Google's process for vetting apps from third party developers is not adequate, I know the android platform is not garden walled like Apple but I would have thought there should be some kind of review in there and not let developers just throw in apps willy nilly. The problem is the developer tools these guys use are often riddled with malware as they are obtained from dubious sources themselves. If Google's philosophy is to make the Android platform so open as to have no checks in place then why on earth do consumers by Android products. And while Apples methods are not perfect by a long shot maybe Google need to take a leaf out their book and at least try to protect both lazy developers and lazy consumers.

  6. Selvabharathi

    Is any one tell me if we use DexClassLoader and build some serious application will have any legal issue, like claiming about security.
    or where i can check all legal issues related for DexClassLoader class.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.