New Android Trojan Kills Play Protect: Online Shoppers in Danger

April 13, 2020
|In Security
|By Security Team

A new Android Trojan now threatens smartphone users. The Shopper.a Android Trojan kills Play Protect and lets the attackers place fake app reviews from infected devices.

According to a Kaspersky report, a new Trojan application “Trojan-Dropper. AndroidOS.Shopper.a” is boosting popular shopping app ratings and installations and spreading ads to annoy users. 28.46% of Russians have been affected by this malware, followed by Brazil with 18.70% and India with 14%. At present, the malware is limited to fake ratings and unsolicited ads but no one knows what it might do in the future.

Reportedly, researchers from Kaspersky Labs have discovered a new malware that targets Android users. Identified as Shopper.a, this Android Trojan exhibits a high level of maliciousness and different functionalities. The most unique being the ability to boost app reviews. Elaborating on their findings in a blog post, the researchers stated that the cybercriminals are using this Trojan-Dropper.AndroidOS.Shopper.a to place fake app reviews and increase the number of installations. Certainly, a feature to lure advertisers by boosting app reputation. Other than boosting the app’s ratings, the malware is also capable of executing other functionalities. Upon reaching a device, the trojan masks itself as a system app named ‘ConfigAPKs’ to trick the user. Whereas, in the background, the trojan continues its malicious activities. This includes exploiting the Android Accessibility Service for providing limitless possibilities for abusing the target devices.

Once the trojan gets access to the app, it can do anything with the system interface and other apps. The app hides itself as a system application and uses a system icon named ‘ConfigAPKs’ which allows it to hide from the user. This trojan-infected app can also hack user’s Google or Facebook account where it then registers on popular shopping apps including AliExpress, Lazada, Zalora, Shein, et al. It also posts application reviews in Google Play on behalf of the device owner. In case the rights to use the Accessibility Service permission is not granted, it sends a phishing request.

Furthermore, the app can switch off Google Play Protect, a feature that runs a safety check on apps before they are downloaded from the play store. It’s not known yet as to how the malicious app is being spread, and Kaspersky researchers assume that it might have been downloaded by users via fraudulent ads or third-party app stores.

The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through Accessibility Service. With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures.

Recommendation:

It is recommended that Android users must always remain vigilant while installing apps. Make sure to review the permissions an app requires, check the relevancy of reviews to the app functionalities, and never download apps from third-party sources.