While there are many apps that show ads on the Google Play Store, most of them are upfront about this behavior.
The Multiple Accounts: 2 Accounts disguises this. Dr.Web researchers say the malware is packed inside two JAR files that are encrypted and hidden inside a PNG image named icon.png using steganography.
When running the app, the modules are extracted from the image and launched into execution. Most of the time, the app downloads and shows ads on the user’s phone, which create a revenue stream for its developer.
Android.MulDrop roots devices
Android.MulDrop carries out all its malicious operations through a series of plugins it downloads on the user’s device. These plugins are other malware families incorporated inside Android.MulDrop.
The adware behavior is powered via the Android.DownLoader.451.origin malware, while the app downloading behavior is carried out using Android.Triada.99.
Android.Triada.99, or simply Triada, is one of the most dangerous Android trojans known today, mostly used as a banking trojan. Android.MulDrop uses Triada to root devices in order to download other apps.
There’s a trend of using dual account apps to spread malware
Avast security researchers have seen a trend of Chinese malware authors packing malware inside apps that allow users to log into social media apps using different identities.
Until now, they’ve seen these apps distributed via third-party app stores. Android.MulDrop is the first case that has been seen distributed through the Google Play Store.