We at ESET recently discovered an interesting stealth attack on Android users, a fake app that is trying to use a regular game's name but with one interesting addition: the application was bundled with another application with the name systemdata or resourcea and that’s certainly a bit fishy. Why would a regular game downloaded from the official Google Play store come with another application named systemdata? This particular application/game from Google Play Store is certainly not a system application, as the name seems intended to suggest.

The packaged application is dropped silently onto the device but has to ask the user to actually install it. The app requesting the installation is passed off as a ‘Manage Settings’ app. After installation, the application runs in the background as service.

ESET detects the games that install the Trojan as Android/TrojanDropper.Mapin and the Trojan itself as Android/Mapin. According to our telemetry, Android users in India are currently the most affected, with 73.58 percent of these detections observed.

It’s the backdoor Trojan that takes control of your device and makes it part of a botnet under the attacker’s control. The Trojan sets timers that delay the execution of the malicious payload. This is to make it less obvious that the trojanised game is responsible for the suspicious behavior. In some variants of this infiltration, at least three days must elapse before the malware achieves full Trojan functionality. It’s probably this delay that enabled the TrojanDownloader to get past Google’s Bouncer malware prevention system.

After that, the Trojan requests device administrator rights and starts to communicate with its remote C&C server. Android/Mapin contains multiple functionalities, such as pushing various notifications, downloading, installing and launching applications, and obtaining the user’s private information, but its main purpose appears to be to display fullscreen advertisements on the infected device.

Distribution vectors: Google Play & Co.

The most interesting thing about this Android Trojan is that it was available for download from the official Google Play Store by the end of 2013 and 2014 as Hill climb racing the game, Plants vs zombies 2, Subway suffers, Traffic Racer, Temple Run 2 Zombies, and Super Hero Adventure by the developers TopGame24h, TopGameHit and SHSH. The malware was uploaded to Google Play on November 24-30, 2013 and November 22, 2014.

According to MIXRANK, Plants vs zombies 2 had over 10,000 downloads before it was pulled. On the same dates System optimizer, Zombie Tsunami, tom cat talk, Super Hero adventure, Classic brick game and the applications mentioned earlier from Google Play Store, packaged with same backdoor, were uploaded to several alternative Android markets by the same developers.

The same backdoor was also found packed with other applications uploaded by the developer PRStudio (not prStudio) on alternative Android markets with some of them referencing to the official Google Play Store. This developer uploaded at least five other Trojanized applications*: Candy crush or Jewel crush, Racing rivals, Super maria journey, Zombie highway killer, Plants vs Zombies to various third-party Android markets. All these infected games are still available for download from these markets. The infected applications have been downloaded thousands of times.

Aplicaciones infectadas por un troyano

Figure 1: Infected applications

Figure 2: Application gets positive feedback

*Note that the trojan has nothing to do with the official games developed by King or other legitimate applications, the names of which were abused for the distribution of the trojan.

Infection: Victims are asked to install the malware 24 hours after execution

There are variations in the way this malware is launched. A Trojan is dropped and the victim is asked to install it 24 hours after first execution of downloaded application. This method seems less suspicious to the user and makes him believe that the request to install an application comes from the operating system. Other Trojan versions don’t wait 24 hours but start immediately. All variants are triggered after connectivity is changed, when a broadcast receiver is registered in the manifest.

Figure 3: Connectivity changed receiver

When the connection is changed, the user is prompted to install the ‘system application’. The dropped malware pretends to be Google Play Update or Manage Settings.

Figure 4: Install requests by trojan

If the user chooses to cancel rather than install, then he or she will be prompted again to install every time the connection is changed. The average user will be convinced that this is some important update and at some point is likely to install it just to get rid of this notification. After that, the Trojan starts a service with its own registered broadcast receiver, waiting for another connection change.

When a connection occurs, the malware tries to register itself with Google Cloud Messages (GCM) servers before the malware can receive messages. After GCM registration Android/Mapin will register the infected device on its own server sending user name, Google account, IMEI, registration ID and its own package name.

Figure 5: Device registering to attacker’s server

To keep itself from being uninstalled, the Trojan demands that the user activate the ‘device administrator’:

Figure 6: Device administrator

The Trojan will notify the remote server as to whether the device admin activation was successful or not. Subsequently the user gets a full screen (interstitial) ad popped up. This interstitial ad will be displayed each time connectivity changes. Those ads are delivered by misusing the legitimate AdMob SDK.

Figure 7: Interstitial ads

Communication through Google Cloud Messaging

The Trojan communicates with the server using Google Cloud Messaging ( GCM ). Such communication is getting more and more common in malware these days. The backdoor can respond to commands received from the server.

Figure 8: Commands

Not all of its functionality has been fully implemented, and some of the functionality that is implemented isn’t used. There is a possibility that this threat is still under development and the Trojan may be improved in the future. Its main purpose, controlled from the remote server, is to deliver aggressive advertisements to the end user while pretending to be a system application.

It can also deliver another malicious program to the user’s device. It can enable or disable interstitial or banner ads, change the publisher ID for displayed ads, choose whether or not to display ads to the user, change the delay time between ads being shown, install, download and launch applications, push notifications, revoke device admin rights, change the server with which the malware communicates, and create shortcuts on the home screen to URLs that install downloaded applications. After executing each task, received using GCM, the client device will inform the remote server over HTTPS that its task has been successfully completed.

Conclusion

The Trojan was successfully uploaded to the Google Play Store, probably because Bouncer hadn’t implemented all the relevant malware triggers, in this case for emulating a change of network connectivity. Another interesting question is why Bouncer didn’t statically analyze the executable file inside the assets of the uploaded game. For that reason, the Trojan stayed undetected and was freely provided to users. The infected game “Super Hero adventure” was uploaded to the Play Store by the developer “SHSH”. It’s possible that more applications from this developer were uploaded to the official Google store. The Trojans were eventually pulled from the Google Play store, but were undetected for nearly a year and a half. Perhaps because of this and similar cases, Google announced that as of March 2015, all apps and updates must pass human review.

Best practice for avoiding the download of malware from the official store is to download applications from trustworthy developers and to read comments from people who are already using them. And also to consider whether the permissions that an app expects when it requests installation are justified. If something suspicious happens, consider supplying a sample to your antivirus vendor for analysis, along with your reasons for submitting.

More information & hashes

App Name Package Name MD5 Detection
Highway Zombie com.heighwayzombie 2f6323af124f9fd57edb1482827f9481 Android/TrojanDropper.Mapin
Plant vs Zombie com.plantzombie 8721901a2caaeb98a19e0fb909ce2569 Android/TrojanDropper.Mapin
USubway Suffer com.subwaysuffers ba3c1894310d38aa814ad3c58f1c8469 Android/TrojanDropper.Mapin
Climb racing com.hillclimbrace 87cc79d6f6795fea0df109e181d1a3e8 Android/TrojanDropper.Mapin
Temple run 2 Zoombie com.templerunzombies d5afd7ba5b3bd24cd4fa5201882e1a9d Android/TrojanDropper.Mapin
Traffic Racer com.traficracer 9cbfd66f35a36d9f75a89f342da9c784 Android/TrojanDropper.Mapin
Google Play update com.system.main f8df9e2d21018badc7555a9233a8b53e Android/Mapin
Arrange Block - Brick game com.game.arrangeblock d7facf652d3947a53f85431ba8a4cd4a Android/TrojanDropper.Mapin
Manage Settings com.appgp.main 5586e93ac84317348904adfe01c9715c Android/Mapin
Candy crush com.tgame.candycrush 745e9a47febb444c42fb0561c3cea794 Android/TrojanDropper.Mapin
Manage Settings com.appgp.main c19896fdd3b96b9324c6b79cc39eca5b Android/Mapin
Super maria adventure com.game.supermario 0d7c889e8a9be51a58041d55095f104f Android/TrojanDropper.Mapin
Manage Settings com.appgp.main c19896fdd3b96b9324c6b79cc39eca5b Android/Mapin
Super maria journey com.tgame.maria ee8e4e3801c0101998b7dfee33f35f95 Android/TrojanDropper.Mapin
Google Play Update com.appgp.main 195432955e70ec72018ead058f7abc2d Android/Mapin
Zombies highway killer com.absgame.zombiehighwaykiller 1516174c4a7f781c5f3ea6ac8447867b Android/TrojanDropper.Mapin
Manage Settings com.appgp.main f05ac3ac794ee8456db4d0331830d2d8 Android/Mapin
Plants Vs Zombies com.tgame.plantvszombie 10edaf2b4c25375644faf78a25790061 Android/TrojanDropper.Mapin
Google Play Update com.appgp.main f8879f759b00ed9d406dd14ce450584b Android/Mapin
Plants Vs Zombies com.popcap.pvz_row 9b72df484915ce589ade74e65ecdfaed Android/TrojanDropper.Mapin