Security researchers at Check Point have uncovered a new strain of malware in the Google Play Store that has already targeted tens of thousands of Android mobile users.
The malware, called Viking Horde because of a popular app on Google Play that it imitates, is designed to convert mobile devices into a bunch of bots, a network of machines that are controlled by hackers for monetary purposes.
According to the researchers that first discovered the malware on Google’s app marketplace, the malware is hard to remove from a device because it is persistent, meaning it stays on the victim device despite attempts at wiping it off.
The researchers also disclosed the names of apps on Google Play Store that contain the malware, such as the Viking Jump game, which has reached more than a hundred thousand downloads on the app store and has topped the marketplace in specific markets. Other apps infected with the malware are Wi-Fi Plus, Parrot Copter and Memory Booster. These apps have low ratings on Google Play Store, perhaps because users noticed that those apps had asked for extra permits such as root privileges when they tried to download and install the games and apps.
Once installed, however, the app that contains the malware will have access to some features of a device that could allow attackers to steal personal information. In other instances, users reported that they were receiving premium text messages and even get a flood of SMS in what is believed to be a distributed denial-of-service attack. Yes, it can happen on mobile devices, too.
The malware is extra harmful to rooted Android devices as it downloads more malicious components into the phone that will make it difficult for antivirus software to remove the malware. Worst, attackers will be able to execute code remotely using the malware.
Unknown to the owner of the infected device, the malware unloads several of its components as the app initiates the game, for gaming apps. If the device is not rooted, the malicious components are installed in the SD card. The malware also checks of the device is rooted so that it can perform escalated privileges. The malware then establishes a proxy connection to enable remote code execution.
The infected apps still sit on Google Play Store as of this writing, and the search giant has yet to address the situation. The botnet appears to be coming from various countries such as Russia, Spain, Mexico and the United States.
