NEWS FROM THE LAB - Wednesday, July 11, 2012

Google Play Fails to Remove All Super Mario Malware Posted by Sean @ 11:43 GMT

Malware has been found once again on Google Play according to this post by Symantec's @Irfan_Asrar.

Android.Dropdialer poses as a "Wallpaper" app but it also happens to install an additional app which then sends a premium rate SMS.

Asrar analyzed two versions found on Play that used video games as bait. Good news: Android Security removed the apps identified by Asrar. Bad news: there are more malware apps currently on Google Play. When something works once, bad guys will try it again.

With that in mind we used Google Search and we found more examples (in less than 10 seconds).

Google Play, Search

Here's another version of the "Super Mario Bros." app:

Vahtang Maliev, Super Mario Bros.

GTA 3: Las Vegas (Asrar located a Moscow City version):

Vahtang Maliev, GTA3 Las Vegas

Instagram After Effects:

Vahtang Maliev, Instagram

FIFA 11 Russian Edition:

Vahtang Maliev, FIFA 11

Odnoklassniki Life:

Vahtang Maliev, Odnoklassniki

Here's something clever…

Premium rate SMS numbers only work within a particular country. So, this malware is "incompatible" outside of profitable networks.

This app is incompatible with all of your devices.

This limits the malware to its target group, as well as making it more difficult for antivirus researchers to collect samples.

Kudos to Asrar for identifying the threat. Better luck next time to "Android Security".

Updated to add:

Here's a video demonstration of the Vahtang Maliev version of the Super Mario Bros. Dropdialer:

YouTube: Dropdialer: Super Mario Bros. Version