Google play: Super free music player contained malicious software

the music player Super free music player contained malicious software, as the experts at SophosLabs have now told. Dating his upload at Google play on the 31 March 2017. The player has won the specialists according to within a very short time between 5,000 and 10,000 downloads. Although the malware-infected player has been removed by Google play, Sophos but expects that there will be more attempts with similar apps and attack technologies. “


who took advantage of application explain a sophisticated technique to bypass the flair of Google and security tools, like the experts. This is known from the game app BrainTest, who had an infection rate between 200,000 and 1 million users with their malicious software. The malware techniques include the use of time bombs, domain and/or IP mapping, the use of dynamic code and mirroring and the use of multiple levels.

the malware is able to download additional malicious code from remote Web sites and upload device information, including all installed apps, place of residence, language, model, SDK versions, etc.

“Sophos has identified the malicious software as Andr/AXENT-DS and it is likely that we will again see this malware in other apps. We have analyzed this malware and Sophos mobile security users are protected,”explains Michael Veit, technology evangelist at Sophos. “We have the free Sophos mobile security for Android in the program that provides reliable protection every end user.” This example shows that even trusted providers like Google play malware can not exclude and that was certainly not the last attack of this kind.”

SophosLabs has the characteristics of the Super free music players worked out. The performing self program file – the so-called dropper -, to download on Google play, is called com.superfreemusic.songapp . First, the dropper starts a particular service every hour, to decrypt the malicious code (payload) and start. Then he uses droppers dynamic code and reflections, to load the payload method. Not to be recognized by Google play, the payload, checks whether the device is a real mobile or maybe just a development environment. To verify different properties, such as for example the phone number (15555215554, 15555215556.) and other characteristics. Another “time bomb” waiting for eight hours to start the malicious payload. They can download another encrypted payload by remote Web pages. Then she sent a list of device information to an hxxp page.


what next – BB´s storage & co: the enterprise cloud!

get to know the building blocks of enterprise cloud platform in this audio Webinar. Learn how to achieve maximum freedom and flexibility for your applications. More outcome achieved with less input – specific application examples. [Update: the webinar has already occurred.] Register now and look at the record.

Be the first to comment

Leave a Reply