Android devices are targeted by a new type of malware that secretly downloads and purchases applications from the Google Play Store, while also being capable of stealing information, such as the configured Google account.

Codenamed Skyfin, the new infection reaches Android devices with the help of a different malware known as Android.DownLoader, which usually spreads as part of applications posted in third-party stores. In other words, users who are downloading apps from any other store than Google’s are exposed to these attacks, so they should double-check each APK to make sure it’s not infected.

Security company Dr. Web says Skyfin can compromise the Google Play Store process to automatically download apps on users’ devices. These apps are not installed though, but the file is stored in the downloads folder to make sure that the user does not notice any difference on their phones.

“It steals a mobile device’s unique ID and the account of the device’s owner which are used to interact with Google services; it also steals various internal authorization codes for connecting to the Google Play catalog as well as other confidential data. Then the module sends this data to the main component of Android.Skyfin.1.origin, after which the Trojan sends the data to the command and control server along with the device’s technical information,” the firm says.

Listening to commands from authors

The malware listens to a series of commands and can search the Google Play store for a specific app, purchase it, accept terms of service should there be any, add reviews and rate apps.

It goes without saying that the app can be used by attackers to increase the popularity of certain Google Play applications without users even knowing that their devices are affected.

Furthermore, it turns out that Skyfin can even click on banner ads in apps, which means that authors can use them to generate revenue using compromised devices.

“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server. Another Android.Skyfin.1.origin modification is more general. It can download any application from the catalog. For this purpose, the cybercriminals provide the Trojan with a list of programs for download,” the security firm says.

The easiest way to remain secure is to always keep an eye on the files you download from third-party stores, and to never open APKs that look suspicious. If you’re looking for a large collection of Android APKs, Softpedia also has its own section that lets you download files securely with 0 chances of getting infected, as all packages are scanned by our team.