A popular bus information app in South Korea, Daegu Bus, was found to be dropping malware on the devices they were being installed on. The 5-year-old has been recently removed from Google Play since.
According to a post by McAfee’s security researchers, the app was pretending to be a plugin to the transportation app series. Currently, Google Play has removed all 4 apps from the series.
When the malicious app is installed on the users phone it downloads additional programs from hacked servers including the fake plugin. Once the fake plugin is installed it quickly installs a trojan on the phone of the unsuspecting users.
The malware then goes through a complicated set of routines and tries phishing attempts by loading a fake Korean Google login website. Then it would try to steal the victim’s Google credentials. If a user tried to create a Google account, the app would set the recovery address to one of its own choosing, presumably to be able to hack the account later.
However, as the report states, the attempts are unsuccessful as the parameters passed during account creation are ignored.
Once the trojan is installed it phone is completely compromised
The trojan that is installed when the fake app is installed on victim’s phone get complete control on the phone. It could download, upload, or delete files ont he device. It could also send information to the remote server and upload pictures and other sensitive information.
However, the trojan executed a set of search commands looking for 42 keywords related to military within files and documents.
the McAfee researchers think this trojan may be targeted at military personnel based on the file search commands that the trojan was executing.