Sneaky three-stage malware found in Google Play store

Another crop of Android apps hiding malware have been discovered in – and removed from – the Google Play store.

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.

Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.


Following the initial download, the app doesn’t request the suspicious permissions associated with malware and will initially mimic the activity the user expects – the latter is an increasingly common tactic by malicious software developers.

However, alongside this user-facing activity, the app secretly decrypts and executes a payloads in a multi-step process. The malicious app decrypts and executes a first-stage payload which when in turn decrypts and executes a second-stage payload. This second-stage payload contains a hardcoded URL which the malware uses to download a third-stage payload containing another malicious app.

All of this is going on in the background without the user’s knowledge until, after a five minute wait, they’re prompted to install or update an app. This is disguised to look as if it is a form of legitimate software such as update for Adobe Flash Player or the Android system itself when it it in fact the third-stage of the malware’s dropping process.

The installation request asks for permission for intrusive activities such as reading contacts, sending and receiving alls and text messages and the ability to modify and delete the contents of storage. If permission is given to install this ‘update’, Trojan Dropper delivers the third-stage payload which decrypts and executes the final payload in the form of the malware itself.

Once installed on the device, Trojan Dropper is used to install other forms of malware – the malware has been spotted attempting to deliver the MazarBot banking trojan and various forms of spyware, but researchers note it can be used to deliver any malicious payload of the criminals’ choice.