Since winter sales has begun to hit the stores, users and brands need to be wary.
Users rely heavily on reviews on when choosing shops, as retailers increase their promotion and advertising budgets. With the new Trojan application is boosting popular shopping app ratings and installations, and spreading numerous ads that may annoy users, neither can fully trust what they see online.
The Trojan, dubbed ‘Shopper’, first drew the attention of researchers following its extensive unclear and use of the Google Accessibility Service. The service allows users to set a voice to read out app content and automate interaction with the user interface, which is designed to help people with disabilities. However, attackers use this opportunity to present a serious threat to the device owner.
As soon as it gains access to use the service, the malware is able to gain almost unlimited opportunities to interact with the system interface and applications. It can capture data featured on the screen, press buttons and even emulate user gestures. Nothing is confirmed yet to how the malicious application is being spread. According to Kaspersky researchers, they assume that it may be downloaded by device owners from fraudulent ads or third-party app stores when trying to get legitimate application. The app masks itself as a system application and uses a system icon named ConfigAPKs in order to hide itself from the user. After the screen is unlocked, the app launches, gathers information about the victim’s device and sends it to the attacker’s servers. The server returns the commands for the application to execute. Depending on the commands, the app can:
Use a device owner’s Google or Facebook account to register on popular shopping and entertainment apps, including AliExpress, Lazada, Zalora, Shein, Joom, Likee and Alibaba;
Leave application reviews in Google Play on behalf of the device owner;
Check the rights to use the Accessibility Service. If permission is not granted, it sends a phishing request for them;
Turn off Google Play Protect, a feature that runs a safety check on apps from the Google Play Store before they are downloaded;
Open links received from the remote server in an invisible window and hide itself from the app menu after a number of screens are unblocked;
Show ads when unblocking the device’s screen and create labels to advertised ads in the app menu;
Download applications from the Apkpure[.]com ‘market’ and install them;
Open and download advertised applications in Google Play;
Replace labels of installed apps with labels of advertised pages
The highest share of users infected by Trojan-Dropper.AndroidOS.Shopper.a from October to November 2019 was in Russia, with a staggering 28.46% of all users affected by the shopaholic app located in the country. Almost a fifth (18.70%) of infections were in Brazil and 14.23% in India.
Igor Golovin, Kaspersky malware analyst says “Despite the fact that at the moment, the real danger stemming from this malicious app is limited to unsolicited ads, fake reviews and ratings issued in the name of the victim, no one can guarantee that the creators of this malware will not change their payload to something else. For now, the focus of this malicious app is on retail, but its capabilities enable attackers to spread fake information via users’ social media accounts and other platforms. For example, it could automatically share videos containing whatever the operators behind Shopper would want on personal pages of users accounts and just flood the internet with unreliable information”.
Kaspersky products successfully detect and block the Shopper malware under the following detection name: Trojan-Dropper.AndroidOS.Shopper. Read more about the Shopper on Securelist.com.
To reduce the risk of infection by malware threats such as this one, users are advised to follow the recommendations below:
Beware of apps that require the use of the Accessibility Service, if the application isn’t meant to be used with this function
Always check application permissions to see what your installed apps are allowed to do
Do not install applications from untrusted sources, even if they are actively advertised, and block the installation of programs from unknown sources in your smartphone’s settings
Use a reliable mobile security solution, such as Kaspersky Internet Security for Android, that can help identify potentially dangerous or questionable requests made by the downloaded application, and explain the risks associated with different types of common permissions