Run, Jump, Shoot, Infect: Trojanized Games Invade Google Play

ESET Researchers find Trojan Mapin bundled with games that look like popular titles such as Plants vs. Zombies and Candy Crush.

2 Min Read
Dark Reading logo in a gray background | Dark Reading

A newly discovered mobile sneak attack has taken aim at casual gaming fans with a ploy to repackage mobile Trojans with games on Google Play that look like popular titles: Plants vs. zombies, Candy crush, Jewel crush, and Super Maria Adventure, are among some of these malicious apps. While they've now been taken off the Google Play store, these Trojanized apps were there for a year-and-a-half and remain proliferated in third-party app stores.

Introduced to Google Play as early as 2013, the Trojanized apps silently drop another app called systemdata or resourcea with permission from the user -- by masquerading as a request to install a "Manage Settings" app. Its real identity is a Trojan called Android/Mapin, which runs thereafter on the infected device in the background as a service.

[By 2020 there will be 25 billion Internet of Things devices...all full of vulnerabilities. What can we do to solve the problem now? Don't miss the next episode of Dark Reading Radio, "Fixing IoT Security," this Wednesday, Sep. 23 at 1 p.m. Eastern Time.]

This piece of malware is a backdoor Trojan designed to put infected devices under the thumb of a botmaster. Interestingly, with Trojanized apps growing in popularity, the creator of Mapin built in the means of flying under the radar of gamers who might be suspicious of their new apps.

"The Trojan sets timers that delay the execution of the malicious payload. This is to make it less obvious that the trojanised game is responsible for the suspicious behavior," explains Lukáš Štefanko, malware researcher at ESET. "In some variants of this infiltration, at least three days must elapse before the malware achieves full Trojan functionality."

ESET researchers believe this delay probably is what also made it possible to evade Google's Bouncer malware prevention system. Mapin contains functionalities to push notifications, download, install, and launch apps and get access to private information on the device. Its primary reason for existence, though, seems to be displaying full-screen ads on the infected device.

"It can enable or disable interstitial or banner ads, change the publisher ID for displayed ads, choose whether or not to display ads to the user, change the delay time between ads being shown, install, download and launch applications, push notifications, revoke device admin rights, change the server with which the malware communicates, and create shortcuts on the home screen to URLs that install downloaded applications," explains Štefanko.

According to ESET, Mapin's rise is a good lesson in only trusting applications from well-known and respected publishers.

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights