Like a Human: Malware Learns How to Act to Bypass the Anti-Fraud Mechanisms of the Google Play Store

Kaspersky Lab experts have discovered an Android trojan called Guerilla, whichattempts to overcome the Google Play Store anti-fraud protection mechanisms. Itusesa rogueGoogle Play client application that behaves as if there was a real human behind it. This fake app allows attackers to conduct shady advertisementcampaigns using infected devices to download, install, rate and comment on the mobile applications published on Google Play.The malware is onlycapable of abusing Google Play mechanisms from rooted devices.

As a platform for millions of users and software developers, Google Playis an attractive target for cybercriminals. Among other things, cybercriminals use the Google Play Store to conduct so-called Shuabang campaigns, which arewidespread in China. These arefraudulent advertisement activities aimed at promoting somelegitimate apps by granting them the highest rates, increasing their download rates and posting positive comments about them on Google Play. The apps used to conduct these advertisement campaigns usually do not pose any “standard” threat to the owner of an infected device,such as data or money stealing, but they can still do harm: the ability to download additional apps on the infected device results in extra charges for mobile Internet traffic, and in some cases Shabang apps are capable of covertly installing paid programs, along with free ones; using the bank card attached to the victim’s Google Play account as the payment method.

To conduct these campaigns, criminals create multiple fake Google Play accounts or infect user devices with special malware, which covertly performs actions on Google Play, based on the commands received from hackers.

Although Google has strong protection mechanisms, which help detect and block fake users to prevent fraudulent operations, the authors of the Guerilla trojan seem to be trying to overcome them.

The trojan is delivered to the targeted device through Leech rootkit –a malware that gives an attacker user privileges over the infected device. These privileges give the attacker unlimited opportunities to manipulate the data on the device. Among other things it gives them access to the victim’s username, passwords, and authentication tokens, which are mandatory for an app to communicate with official Google services,and are inaccessible to ordinary applications on non-rooted devices. After installation, the Guerilla trojan uses this data to communicate with the Google Play Store as if it was real Google Play app.

The criminals arevery cautious: they are careful enough to use the authentication data of a real user, and they also make requests from the fake client application, to Google Play,look exactly like requests that the real app would issue.

Another unusual thing about this trojan is that malware writers have tried to mimic the way an actual user interacts with thestore. For instance, before it requests a page where a particular app is hosted, it searches for an app of interest, like a human would, should they need to find an app.

“Guerilla is not the first malicious app that tries to manipulate the Google Play store, but it does it in a pretty sophisticated way, that we haven’t seen before. The thinking behind this method is clear: Google can probably easily distinguish requests to Google Play that were made by robots – most of the Shuabang malware we know about just automatically sends out requests for the particular page of a particular app. This isn’t something that a real human would do, so it is easy for Google to see that the request is not really from an authorized user. The malware that searches an app before it goes to the app’s page is much harder to detect, as this is how most of Google Play users behave. It is important to note, however, that this malware is only capable of abusing Google Play mechanisms from rooted devices, which again reminds us of how important it is to avoid using rooted Android smartphones and tablets”, - said Nikita Buchka, security expert at Kaspersky Lab.

Kaspersky Lab products detect the Guerilla malware as: Trojan.AndroidOS.Guerrilla.a.

In order to protect yourself and your mobile device from the malware that targets Android-based devices, Kaspersky Lab’s experts advise the following:

- Restrict the installation of apps from sources different to official app stores
- Use proven protection solutions to defend your Android-based device from malware and other cyberthreats
- Don’t root your Android device

To learn more about methods that cybercriminals use to abuse Google Play Store, read the blog post available at Securelist.com.