Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Google pulls malicious ‘Viking’ apps from Play store

Security researchers discovered popular Android applications that execute remote code on devices and use the infected devices to create botnets that engage in ad fraud, DDoS attacks, and spam messages.

Google pulled the malicious apps, from the Play store on Tuesday, Check Point said. The malicious app included a gaming app named Viking Jump and several other malicious apps, including Parrot Copter WiFi Plus, Memory Booster, and Simple 2048. Viking Jump received 50,000 to 100,000 downloads.

Once a device is infected, the device reaches out to the command and control server periodically, which can download additional instructions, Check Point's head of mobility product management, Michael Shaulov, told “The overall architecture of the malware allows the owner of the botnets to develop new functionalities.” 

The infected devices reach out to the command and control server periodically to download additional instructions. The command and control server can then implement many different attacks, depending on the region, mobile carrier, or device model.

“The malware's primary objective is to hijack a device and then use it to simulate clicks on advertisements in websites to accumulate profit. The malware needs this proxy to bypass ad-nets' anti-fraud mechanisms by using distributed IPs, wrote Check Point mobile information security analysts Andrey Polkovnichenko and Oren Koriat, in a blog post Tuesday.

User reviews of the Viking Jump app claimed the app sent premium SMS messages. “The architecture paired with the proxy activity, could also be used for clickjacking and advertising fraud, and distributed denial of service,” said Shaulov. “With this architecture, it could also be extended to banking fraud or more advanced attacks.”

Shaulov noted a proliferation of criminal group selling user information of Dark web forums. “They are sharing information in forums that are much more open and robust,” he added. “We don't know all the attack models that were developed by the hacker.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.