The Cisco Talos Intelligence Group unveiled a new Android Trojan they dubbed GPlayed, with an extensive array of built-in malicious tools, as well as the capability to compile new modules received from its command-and-control (C&C) server on the compromised device.
Moreover, GPlayed's toolset can be expanded by its developers without having to release another version, but instead adding new features either via a built-in plugin system or by compiling, recompiling, and upgrading the Trojan on the infected device.
As discovered by Cisco Talos, GPlayed is designed to adapt to its master's needs, being able to assume multiple roles, from a spying Trojan to a data-stealing Trojan allowing the bad actors to use it for a multitude of purposes from monitoring the victim's location to stealing banking credentials.
The most important feature of GPlayed is the fact that its feature set can be easily customized after the Trojan has been deployed on the compromised machine with the help of the plug-in system and code compilation capabilities mentioned above.
GPlayed's capabilities can be sorted into three different categories: spying, self-management, and miscellaneous.
The malware disguises itself as the "Google Play Marketplace" app and it can be remotely tailored by its operators to fit multiple purposes
On the spying front, GPlayed is capable of exfiltrating geolocation info, text messages, contacts, and a full list of all installed apps, while the self-management modules enable it to load, compile and execute new modules from received source code, change the C&C server, as well as send or load new plugins.
Furthermore, GPlayed allows its masters to lock or wipe the device, send SMS, add/remove web injects, show notifications, open the web browser, and collect credit card information which it can send to its operators.
The GPlayed sample detected and analyzed by the Cisco Talos researchers uses the Google Play Marketplace name and a very similar icon to the Play store one to disguise itself and avoid removal by the hands of an eagle-eyed target.
After the initial deployment, the Trojan will start three timers, the first for pinging the C&C server after 20 seconds, the second to toggle on the Wi-Fi every five seconds, and the third to register the device with the C&C server every 10 seconds.
Fortunately, as discovered by Cisco Talos, the modular GPlayed Android Trojan is still under development given that there are a lot of 'test' labels within its source code, the URLs mentioned within the source code were all inactive, and the malware generates large amounts of debugging information.