Researchers discovered a new Trojan family called “Venus” resides in the Google play store infected at least 285,000 Android users around the world.
There are 8 apps involved with the malicious activities in Android user’s device and it is mainly targeting the carrier billing and advertising area.
Threat actors developed these apps to interact with Ads and subscribe the user to premium services without any sort of notification, and it also bypasses the Google Play protect and malware detection system.
There are several countries were targeted by this malware campaign including Belgium, France, Germany, Guinea, Morocco, Netherlands, Poland, Portugal, Senegal, Spain, and Tunisia.
Malware Infection Process via Malicious App
Researchers observed that most of the data consumed by an application called “Quick scanner” which is protected by a library that encrypts and hides files.
According to Evina research, “The application uses the libjiagu library created by the Chinese company Qihoo. The library protects the application’s content and runs protections against reverse engineering. Unfortunately, fraudsters take advantage of the library to use it dishonestly.”
Further deep analysis revealed that the apps have fraudulent code in compiled Android file and it processes the anti-reverse check after the file was imported and decrypted in memory in order to bypass Google’s detection.
“Venus is waiting for the right time to attack. The malware is able to register time after the application has been downloaded instead of being launched on the very first day.” Evina said.
Once it performed the successful attack, Venus malware communicates with the C2 server domain(glarecube[.]com) which is controlled by an attacker to send the encrypted request.
After decrypted, Server response with two following things.
1) All the instructions containing URLs that redirect to premium services or websites containing ads, all created by the fraudster
With running an application, the URL simply loaded into the browser without letting users know whats going on and it subscribes to the premium ads, at the end attackers can make its profit from advertisements clicks and premium services subscriptions.