It's always a good idea to let users know that once in a while malware manages to make its way into the official Google Play Store, in spite of Google's strict policies and scanning system.
The latest revelation on the front of Google Play Store malware comes from California-based security firm Lookout, who recently discovered a very dangerous Android malware called Acecard packaged inside a benign card game called Black Jack Free (com.bjack.free).
Malicious game infected over 5,000 users
The game was uploaded to the store last week, but Lookout quickly detected the dangerous virus hiding inside it and reported it to Google's staff. Nonetheless, the app was installed on at least 5,000 devices before being taken down four days later.
Acecard is one of the most dangerous, if not the most dangerous, Android malware family known today, first discovered and analyzed by Kaspersky in February, and with possible roots in GM Bot.
This Android trojan is a complete threat, with spyware features, bank phishing capabilities, info-stealing functions, and a screen-locking ransomware-like behavior.
Black Jack app installed another secret app
According to Lookout, crooks bundled Acecard in the Black Jack Free app to do two things: to install a secondary app named Play Store Update (cosmetiq.fl) and to show credential phishing popups. Users that installed the game should also search their phone to remove this secondary app.
Black Jack Free targeted normal banking applications, but also social apps such as Skype and Facebook.
Additionally, the app could also intercept SMS messages, forward SMS data to a C&C server, forward phone calls, lock the device screen, and even wipe user data from the device, if a special command was received.
Relating to banking trojans like Acecard in general, the Lookout team found the perfect analogy. "You can compare this kind of mobile malware with ATM skimmers — the devices criminals install over an ATM’s card reader in order to steal a person’s card information. It’s a layer of technology that siphons off data while the individual goes about their regular banking business."
