A new trojan dubbed GPlayed shows that threat actors are increasing their abilities to create hybrid threats that can move code from desktops to mobile platforms with no effort.
Cisco Talos researchers discovered the malware, still in its testing stages, using an icon similar to the one used in the Google Play store and displaying the name Google Play Marketplace, according to an Oct. 11 blog post.
“Having the ability to move code from desktops to mobile platforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before,” researchers said in the post. “This trojan’s design and implementation is of an uncommonly high level, making it a dangerous threat.”
GPlayed is written in .NET and seeks toexfiltrate a user’s data such as the phone’s model, IMEI, phone number, country and other sensitive information. The trojan disguises its communications by serializing it using JSON, before sending it over HTTP using either a standard web request or a web socket.
Researchers described the trojan as “extremely powerful” due to its capability to adapt after its deployed and noted the malware’s operator has the ability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.
Once installed, the trojan seeks to escalate its own privileges and repeatedly display screens asking for the user to approve the changes until they accept and will even prompt users to enter their payment card information while preventing them to access other features until their “payment information” is updated.
The examined sample targeted Russian-speaking users however, researchers noted the trojan can easily be customized to a different language.