Hackers Use Steganography to Hide Trojan in Over 60 Google Play Games

Rafia Shaikh

Security researchers have detected a trojan targeting over 60 games hosted on the Google Play Store, enabling them to mine user data while the game is being played on the smartphones.

android security

Hackers hide malicious code inside images of Android games:

Russian antivirus vendor Doctor Web has reported a number of rogue apps masquerading as mobile games to Google last week. Named as Android.Xiny.19.origin, the new Android malware acts like a trojan, executing malicious code hidden inside the images after the apps are downloaded on a device. The trojan is designed to "download, install, and run programs upon receiving a command" from hackers. Incorporated into over 60 functional games, the rogue apps are distributed via Google Play under the name of more than 30 game developers. A user will have no way of being suspicious as the apps work perfectly like any other, except for collecting data and installing more malware while the user is busy playing games.

According to security researchers, the following data is being collected:

  • Phone's IMEI identifier and MAC address
  • Version and the current language of the operating system
  • Mobile network operator name
  • Information about accessibility of a memory card
  • Name of the application in which the trojan is incorporated into
  • Details about this application being in the system folder

The biggest threat of this Android malware is not just retrieval of user and device data, but what else this trojan is capable of. Doctor Web explains that Android.Xiny.19.origin has the capability to "download and dynamically run arbitrary apk files upon cybercriminals' command." To masquerade the malicious code, the hackers have hidden it in specially created images by applying steganography, making detection difficult. Thanks to this ability, the latest Android malware can perform other malicious functions like downloading software and deleting applications without the user's knowledge when "root access is available."

While users have no way of detecting if they should "trust" an app on Google Play Store, one simple trick does the job: disable installation of apps from Unknown Sources. Google introduced an automated scanner called Bouncer a few years ago to detect malware hidden inside the games. While it is very much possible to bypass it, most of the Android malware cases are now seen distributed through third-party app stores.

We have previously seen steganography being used to hide malware in several cases. Some of these cases involved potential attempts at hacking and spying your computer while the latest Android malware seems to be more concerned with covertly downloading applications. You can read more details about this particular case in this blog post.

Share this story

Deal of the Day