Kaspersky Lab experts discover Android Trojan Shopper. Using this malware, attackers distribute numerous advertisements and, without the knowledge of the owners, install various applications on the devices, and also leave fake reviews on Google Play on their behalf.
Most often, in December 2019, malware attacked Russian users. Their share was 31%. Brazil came in second place with 18% of infected users, and India came in third with 13%.
The trojan runs the Google Accessibility Service, designed to facilitate the use of applications for people with disabilities. Attackers use its capabilities to interact with the system interface and applications. So, Shopper can intercept data appearing on the screen, press buttons and even imitate user gestures.
Researchers believe that the trojan can get to the device through fraudulent advertisements or from third-party application stores when a user tries to download an allegedly legitimate program.
The malware pretends to be system software, for example, services for cleaning and speeding up the work of a smartphone, and masquerades as an application called ConfigAPKs. The Trojan collects information about the victim’s device, sends it to the attacker’s servers, and then receives commands that can result in the following scenarios:
- Google or Facebook accounts of the device owner can be used without his knowledge for registration in applications for shopping or entertainment;
- fake app reviews can be created;
- the Google Play Protect function can be turned off, which checks the security of the application from the Google Play store before downloading
- links received from a remote server in an invisible window can be opened;
- numerous advertising windows may appear and shortcuts for advertising applications may be created in the application menu;
- without the owner’s knowledge of Google Play, applications can be downloaded and installed;
- shortcuts for installed applications can be changed to shortcuts for advertising pages.
“Now Shopper is mainly aimed at online stores, and its action is limited to distributing advertisements, creating fake reviews and juggling ratings, but there is no guarantee that its authors will stop at this and will not modify the malware, adding new features to it. In any case, we recommend that users be careful about what resources they download applications from and, if possible, install a protective solution on their smartphones to minimize the risks of infection, ”said Igor Golovin, an antivirus expert at Kaspersky Lab.