Experts of Kaspersky Lab have discovered a Trojan on Android called ‘Guerrilla’, which tries to overcome the mechanisms of anti-fraud protection of the Google Play store using a fraudulent application that behaves as if there was a person behind it.
This false application allows cyber attackers to carry out promotional campaigns using infected suspicious to download, install, rate and comment on publications on Google Play devices. However, this malware is not only able to abuse the mechanisms of infected devices.
With millions of users and software developers, Google Play is an attractive platform for cybercriminals. Among other things, cybercriminals use Google Play to carry out campaigns called Shuabang, widespread in China.
These activities fraudulent advertising are aimed at promoting some legitimate applications by granting higher valuations, increasing your downloads and publishing positive comments about them on Google Play.
Many of these applications used to conduct these campaigns usually pose no threat to the user of the infected as data theft device or money. However, they can do much more damage: the ability to download additional applications on infected devices is an extra charge for Internet traffic, and in some cases, Shuabang applications are able to install secretly free programs and even payment, in addition to using the bank card associated with the user account of Google Play.
to carry out these activities, cybercriminals created numerous fake accounts on Google Play or infected devices users with special malware with ability to perform actions on this platform covertly based on orders received from hackers.
Although Google has strong protection mechanisms that help detect and block fake users to prevent fraudulent operations, the authors of the Trojan Guerrilla seem to be trying to overcome these protections.
the Trojan is introduced into the device through the rootkit Leech, malware granted the cyber attackers user privileges on the infected device. These privileges give cybercriminals unlimited opportunities to manipulate data on the device.
Among other things, allows access to the user name, a password and authentication tokens, which are required to communicate with applications the official services of Google and inaccessible for normal applications on non-rooted devices. After installation, the Trojan Guerrilla uses the data to contact the Google Play store as if it were a real application.