A new Trojan application is boosting popular shopping app ratings and installations and spreading ads that annoy users and over 14% Indians have been affected by this malware dubbed as ‘Shopper, researchers from global cybersecurity and anti-virus brand Kaspersky said on Sunday.
The highest share of users infected by ‘Trojan-Dropper. AndroidOS.Shopper.a’ from October to November 2019 was in Russia, with a staggering 28.46% of all users affected by the shopaholic app located in the country. Almost a fifth (18.70%) of infections were in Brazil and 14.23% in India.
“Despite the fact that at the moment, the real danger stemming from this malicious app is limited to unsolicited ads, fake reviews and ratings issued in the name of the victim, no one can guarantee that the creators of this malware will not change their payload to something else,” Igor Golovin, Malware Analyst at Kaspersky, said in a statement.
For now, the focus of this malicious app is on retail, but its capabilities enable attackers to spread fake information via users’ social media accounts and other platforms.
The Trojan, dubbed ‘Shopper’, first drew the attention of researchers following its extensive obfuscation and use of the Google Accessibility Service.
The service enables users to set a voice to read out app content and automate interaction with the user interface — designed to help people with disabilities. However, in the hands of attackers this feature presents a serious threat to the device owner.
“The malware could automatically share videos containing whatever the operators behind Shopper would want on personal pages of users accounts and just flood the internet with unreliable information,” added Golovin.
According to the researchers, once the Trojan has the permission to use the service, it can gain almost unlimited opportunities to interact with the system interface and applications. It can capture data featured on the screen, press buttons and even emulate user gestures.
It is not known yet how the malicious application is being spread, however, researchers at Kaspersky assume that it may be downloaded by device owners from fraudulent ads or third-party app stores while trying to get a legitimate application.
Surprisingly, the app masks itself as a system application and uses a system icon named ‘ConfigAPKs’ in order to hide itself from the user.
After the screen is unlocked, the app launches, gathers information about the victim’s device and sends it to the attacker’s servers. The server returns the commands for the application to execute.
Notably, depending on the commands, the app can use a device owner’s Google or Facebook account to register on popular shopping and entertainment such as AliExpress, Lazada, Zalora, Shein, Joom, Likee and Alibaba, leave application reviews in Google Play on behalf of the device owner, check the rights to use the Accessibility Service and if permission is not granted, it sends a phishing request for them.
The app can also turn off Google Play Protect — a feature that runs a safety check on apps from the Google Play Store before they are downloaded, and open links received from the remote server in an invisible window and hide itself from the app menu after a number of screens are unblocked.
