Date:15/10/18
As per a blog post by researchers at Cisco Talos, the GPlayed Trojan's design and implementation are of "an uncommonly high level," making it a dangerous threat. They said that such threats will become more common, as more companies decide to publish their software directly to consumers. GPlayed is said to be a full-fledged Trojan with capabilities ranging from those of "a banking Trojan to a full spying Trojan." This essentially means that the malware can do anything from "harvest the user's banking credentials, to monitoring the device's location." This Trojan also shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms without any effort.
According to the blog post, the malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." and it contains one root class called "eClient," which is the core of the Trojan. It added, "The imports reveal the use of a second DLL called 'eCommon.DLL.' We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities."
The GPlayed Trojan is highly evolved in its design, says Vitor Ventura, the author of the blog post. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime. The blog adds, "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the Trojan package on the device."
To achieve adaptability, the operator has the capability to remotely load plugins, inject scripts, and compile new .NET code that can be executed. "Our analysis indicates that this Trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one," Ventura adds.
The Cisco Talos blog provides a list of URLs, Hash Values, and Custom Activity Prefix as indicators of compromise. It has also provided a bunch of ways its products can be used to detect and block GPlayed-like attacks. Cyber attackers are said to be running tests on GPlayed but the Cisco researchers have warned that it is shaping up as a serious threat.
Ventura added, "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful."
GPlayed Trojan Masquerades as Google Play to Attack Android Devices
Researchers have identified a new Android Trojan, dubbed as 'GPlayed', that comes with several built-in capabilities. The Trojan is said to be extremely flexible, which makes it a very effective tool for cyber-attackers. It has been found to be resembling a popular Google service on infected Android devices - the Google Play store. In order to fool users into believing that it is legitimate software, the malware essentially labels itself as 'Google Play Marketplace' and uses an icon that is similar to the original Google Play app icon. The researchers who found the malware claim that it is extremely powerful because of its capability to adapt during deployment.As per a blog post by researchers at Cisco Talos, the GPlayed Trojan's design and implementation are of "an uncommonly high level," making it a dangerous threat. They said that such threats will become more common, as more companies decide to publish their software directly to consumers. GPlayed is said to be a full-fledged Trojan with capabilities ranging from those of "a banking Trojan to a full spying Trojan." This essentially means that the malware can do anything from "harvest the user's banking credentials, to monitoring the device's location." This Trojan also shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms without any effort.
According to the blog post, the malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." and it contains one root class called "eClient," which is the core of the Trojan. It added, "The imports reveal the use of a second DLL called 'eCommon.DLL.' We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities."
The GPlayed Trojan is highly evolved in its design, says Vitor Ventura, the author of the blog post. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime. The blog adds, "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the Trojan package on the device."
To achieve adaptability, the operator has the capability to remotely load plugins, inject scripts, and compile new .NET code that can be executed. "Our analysis indicates that this Trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one," Ventura adds.
The Cisco Talos blog provides a list of URLs, Hash Values, and Custom Activity Prefix as indicators of compromise. It has also provided a bunch of ways its products can be used to detect and block GPlayed-like attacks. Cyber attackers are said to be running tests on GPlayed but the Cisco researchers have warned that it is shaping up as a serious threat.
Ventura added, "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful."
Views: 435
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World