Kaspersky researchers detected a Trojan application that terrorizes users with unsolicited ads and boosts installations of online shopping applications. This malicious app visits smartphone app stores, downloads and launches applications and leaves fake reviews on behalf of the user, all while hiding itself from the device owner.
As sales are hitting the stores, both users and brands need to be wary. When choosing shops, users rely heavily on reviews, while retailers increase their promotion and advertising budgets. As it turns out, neither can fully trust what they see online, as a new Trojan application is boosting popular shopping app ratings and installations, and spreading numerous ads that may annoy users.
The Trojan, dubbed ‘Shopper’, first drew the attention of researchers following its extensive obfuscation and use of the Google Accessibility Service. The service enables users to set a voice to read out app content and automate interaction with the user interface – designed to help people with disabilities. However, in the hands of attackers this feature presents a serious threat to the device owner.
Once it has the permission to use the service, the malware can gain almost unlimited opportunities to interact with the system interface and applications. It can capture data featured on the screen, press buttons and even emulate user gestures. It is not known yet how the malicious application is being spread, however Kaspersky researchers assume that it may be downloaded by device owners from fraudulent ads or third-party app stores while trying to get a legitimate application. The app masks itself as a system application and uses a system icon named ConfigAPKs in order to hide itself from the user. After the screen is unlocked, the app launches, gathers information about the victim’s device and sends it to the attacker’s servers. The server returns the commands for the application to execute. Depending on the commands, the app can:
- Use a device owner’s Google or Facebook account to register on popular shopping and entertainment apps, including AliExpress, Lazada, Zalora, Shein, Joom, Likee and Alibaba;
- Leave application reviews in Google Play on behalf of the device owner;
- Check the rights to use the Accessibility Service. If permission is not granted, it sends a phishing request for them;
- Turn off Google Play Protect, a feature that runs a safety check on apps from the Google Play Store before they are downloaded.