An Android malware strain camouflaged as a system app is used by threat actors to disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more. The heavily obfuscated malware dubbed Trojan-Dropper.AndroidOS.Shopper.a uses a system icon and the ConfigAPKs name which closely resembles the name of a legitimate Android service responsible for app configuration the first time a device is booted. "Trojan-Dropper.AndroidOS.Shopper.a was most widespread in Russia, where the largest share of infected users (28.46%) was recorded in October – November 2019," Kaspersky Lab researcher Igor Golovin said. "Second place went to Brazil (18.70%) and third to India (14.23%)." Once it infects a victim's Android device, the malware downloads and decrypts the payload, then goes straight to information harvesting, collecting device info such as country, network type, vendor, smartphone model, email address, IMEI, and IMSI. All this data is then exfiltrated to the operators' servers which will send back a series of commands to be run on the infected smartphone or tablet. The attackers will utilize the Shopper.a Trojan to boost other malicious apps' ratings on the Play Store, post fake reviews on any apps' entries, install other apps from the Play Store or third-party app stores under the cover of an "invisible" window. All this is done by abusing the Accessibility Service, a known tactic used by Android malware to perform a wide range of malicious activities without needing user interaction [1, 2, 3, 4]. If it has no permissions to access the service, the Trojan will use phishing to get them from the compromised device's owner. "The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through Accessibility Service," Kaspersky Lab researcher Igor Golovin explained. "With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures." "Cybercriminals use Trojan-Dropper.AndroidOS.Shopper.a to boost certain app’s rating and increase the number of installations and registrations," Golovin added. "All this can be used, among other things, to dupe advertisers. What’s more, the Trojan can display advertising messages on the infected device, create shortcuts to ad sites, and perform other actions."Get the full scoop by visiting OUR Forum.