Security researchers have discovered a new Android trojan named Skyfin that can infiltrate the local Play Store Android app and download or purchase other apps behind the user’s back.
Until now, Skyfin has been found only as a second-stage download on phones infected by trojans of the Android.DownLoader family.
Android.DownLoader is an Android trojan that’s spread via booby-trapped apps distributed through third-party app stores. Last month, researchers found the trojan in the firmware of 26 low-cost Android devices. This trojan is notable because of its ability to download and run exploits that root the user’s device.
This allows Android.DownLoader to carry out any type of operations, including downloading other apps. According to Dr.Web, a security firm based in Russia, one of the apps downloaded in some of these instances contains the Skyfin trojan.
Skyfin injects itself in Play Store app process
While Android.DownLoader itself could be used to download other apps, Skyfin appears to be a trojan specialized in seamlessly infiltrating the standard Google Play Store app, containing features built specifically for this role.
According to Dr.Web, Skyfin can perform the following operations, not supported in Android.DownLoader.
/search - search in the catalog for the simulation of user action sequence;
/purchase - request for the program purchase;
/commitPurchase - purchase confirmation;
/acceptTos - confirmation of consent to the license term conditions;
/delivery - link request for download of an APK file from the catalog;
/addReview /deleteReview /rateReview - adding, deleting and rating of reviews;
/log - confirmation of the program download used for the twist of the total installs.
Skyfin can perform all these actions by injecting itself in the native Google Play Store app process and by stealing and mimicking the device’s unique ID, the phone owner’s Google account, and internal authorization codes.
These details allow the trojan to carry out all its operations without raising any suspicions or alarm bells.
Skyfin used to boost install numbers for other apps
According to Dr.Web, the trojan downloads apps from the Play Store and saves them to a local SD card, and later installs them. The trojan’s operators appear to be making a profit by boosting the install counts of other apps.
Researchers said that first versions of Skyfin came hardcoded to download and install an app named “com.op.blinkingcamera.”
After Google removed the app from the Play Store, subsequent Skyfin infections contacted a command and control server from where they retrieved a list of apps they had to install.