Kaspersky Researchers detected a Trojan application that deceizes users with unsolicited advertisements and enhances the installation of applications for online purchases; by tricking both users and advertisers.
This malicious app ”visits” smartphone app stores, ”Downloads” and launches applications and leaves false reviews on behalf of the user, all unbeknownst to the device owner .
As winter discounts approach, both users and brands must be on alert. When choosing stores, users rely heavily on reviews, while retailers increase promotion and advertising budgets. As it turns out, no one can have full confidence in what they see on the internet, as a new Trojan app enhances ratings and installations of popular applications for online shopping and spreads numerous advertisements that may annoy users.
The Trojan, titled ”Shopper”, caught the attention of researchers after the widespread use of Google’s accessibility service. The service allows users to designate a voice to read the content of the application and automate interaction with the user interface; designed to help people with disabilities. However, in the hands of the attackers this function poses a serious threat to the owner of the device.
Once authorized to use the service, the malware can acquire almost limitless opportunities to interact with the system interface and applications. It can record data displayed on the screen, press buttons, and even simulate user movements.
It Is not known yet how malicious application spreads, however, Kaspersky researchers assume that it can be downloaded by device owners from fraudulent advertisements or third-party app stores, while trying to download a legitimate application. The application disguises itself as a system application and uses a system icon named ”Conpapks” to hide from the user.
After unlocking the screen, the application launches, which gathers information about the victim’s device and sends it to the attacker’s Servers. The Server returns the commands for the application to run. Depending on the commands, the application can:
• Use a device owner’s Google or Facebook account to sign up in popular shopping and entertainment applications, Including AliExpress, Lazada, Zalora, Shein, Joom, Likee and Alibaba.
• Leave app reviews on Google Play on behalf of the device owner.
• Check the rights of use of the accessibility service. If permission is not granted, it sends a phishing request to them.
• Disable Google Play Protection, a feature that performs a security check on apps from the Google Play Store before downloading them.
• Open links downloaded from the remote Server to an invisible window and hide from the application menu after unblocking a series of screens.
• Display Ads when it unlocks the device screen and generates labels on displayed ads in the app’s menu.
• Open and download advertised apps on Google Play.
• Replace the labels of the installed applications with the advertised page labels.
To reduce the risk of malware infection, users are advised to do the following:
• Be aware of applications that require the use of the accessibility service if it is not in the application specifications to be used with this function.
• Always check the app permissions to see what your installed apps are allowed to do.
• Do not install applications from untrusted sources, even if they actively advertise and prevent the installation of programs from unknown sources in your smartphone settings.