Jiangxi Huarui Network technology company In an apparent effort to avoid detection, the JAR files now arrive encrypted, with the DES algorithm, and are decrypted on the phone. This time around the apps use the filenames atop.txt or atgl.txt.
Like the earlier apps, the latest ones hide their payloads in their asset folders as text files. The new batch of Guerilla apps display a few technical differences from those removed from Google Play earlier this year. That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realising. The apps harbouring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users. Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google. The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps. SophosLabs has discovered apps in Google Play harbouring Guerilla ad clicker malware.
Thanks to Chen Yu of SophosLabs for her research.
0 kommentar(er)
