Doctor Web security researchers detected the Android.Xiny.19.origin Trojan that targeted dozens of games published on the Google Play store. The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements.
The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color Games, BILLAPPS, and many others. Although Doctor Web has already informed Google about this incident, to this day, the affected applications are still available on Google Play. It is recommended that you do not download games from the store to devices without anti-virus software in the next few hours.
The main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals’ command. However, the way it is carried out is rather unique. To masquerade the malicious program, virus makers hide it in specially created images by applying steganography. Unlike cryptography that is used for encryption of source information, which may arouse suspicion, steganography is applied to hide information covertly. Virus makers presumably decided to complicate the detection procedure expecting that security analysts would not pay attention to benign images.

Upon receiving a necessary image from the server, Android.Xiny.19.origin retrieves a hidden apk file with the help of a special algorithm and then executes it.

More information on: