Fake Google Play Store Malware May Attack Your Phone [GPlayed]

A new Android trojan has been discovered by Cisco Talos dubbed “GPlayed.” This trojan has many built-in capabilities. At the same time, it’s extremely flexible, making it a very effective tool for malicious actors. The sample that Cisco Talos analyzed uses an icon very similar to Google Apps, with the label “Google Play Marketplace” to disguise itself.

What makes this malware extremely powerful is the capability to adapt after it’s deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. The analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed.

The trojan is reportedly capable of things like monitoring location of the user’s device to harvesting their banking credentials.

Read the full report from Cisco Talos here – https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

Indicators of compromise (IOC)

URLs
hxxp://5.9.33.226:5416
hxxp://172.110.10.171:85/testcc.php
hxxp://sub1.tdsworker.ru:5555/3ds/

Hash values
Package.apk – A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f
eCommon.dl – 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1
Reznov.dll – 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3

Custom activity prefix
com.cact.CAct