A popular mobile PDF creator that has been downloaded from Google Play more than 100 million times was found to have a malicious dropper component included.
Kaspersky researchers Igor Golovin, Anton Kivva are reporting that an examination of Phone PDF creator found a malicious dropper component in the apps advertising library. One very similar what some malware that came pre-installed on Chinese-made smartphones. The component, identified by Kaspersky as Trojan-Dropper.AndroidOS.Necro.n., was reported to Google and removed from the app store.
One of the clues that something was amiss with Phone PDF were the negative comments recently left on its Google Play site of users complaining it did not work properly.
The malware’s functionality is relatively straight forward. When the app is run the dropper downloads and decrypts the malicious code contained in the mutter.zip file. A file named “comparison”, which also contains the URLs of the command and control servers, is then decrypted. The app then downloads and executes an additional module of malware and begins operation.
Essentially, the dropper enables the cybercriminals to download a payload that will allow them to do as they wish with the device from showing the victim unwanted advertising to stealing money from their mobile account by charging paid subscriptions.