Researchers at Cisco Talos have discovered a new Trojan that masquerades as the Google Play Store when it infects an Android device. Dubbed, ‘GPlayed’ the Trojan not only labels itself “Google Play Marketplace”, but also uses an icon that looks very similar to the Play Store icon. The researchers note that the Trojan is “extremely powerful” as it has the capability to “adapt after it is deployed”. It’s noted that it has the capability to remotely load plugins, inject scrips and even compile new .NET code to be executed. 

When it activated, the GPlayed trojan starts executing a multitude of different tasks and will attempt to establish contact with its command and control server in order to register the device. This would include private information such as the phone’s model, IMEI number, phone number and country. Finally, the trojan will attempt to escalate and maintain privileges. This is done by requesting admin privileges on the device and asking the user to allow the trojan access to the device’s settings. The screen asking for the user’s approval will not close unless the user approves the privilege escalation. If the user does manage to close the window, the screen will pop up again a little while later.