Security researchers have uncovered an ingenious money-making campaign in China in which hackers bribed a mobile gaming company to include malware in among its legitimate apps, ensuring they were whitelisted by a major AV vendor.
Check Point researcher Feixiang He explained that the legit apps, some featuring the trojan malware, were sent to Qihoo 360 for review.
Once whitelisted, the malware could run hidden on any machine protected by the popular free AV software and was found listed on third-party mobile app stores.
The next stage was to steal money from sellers on Taobao – China’s answer to eBay.
“On Taobao.com, buyers initiate purchases by sending a picture of an item to the seller using the Aliwanwang instant messaging app. Money is then exchanged between the buyer and the seller using Alipay, Aliwanwang’s payment platform,” explained He.
“Attackers disguised as Taobao.com buyers sent sellers legitimate photos injected with whitelisted trojans. These sellers then opened the pictures on PCs and became infected because the trojans weren’t detected by Qihoo anti-virus.”
In the final stage of the sophisticated operation, the black hats asked their sellers for a refund on their products, requiring the latter to log-in to their Alipay accounts.
In doing so, the trojan would record their keystrokes and therefore allow the attackers to gain access to the seller’s account.
Check Point warned that the campaign showed how some whitelisting technology is still lacking, and that third-party apps stores should not be trusted.
“If malware can be installed on machines protected by Qihoo and can infiltrate into its own app store, this example illustrates how important it is to avoid third-party stores and to instead at least rely on stores with more reliable security,” he concluded.
“But even still, stores like the App Store and Google Play aren’t immune to threats. It’s only a matter of time before attackers turn their full attention to infiltrating the app stores users trust most.”
Check Point told Infosecurity the gaming company in question was Xiamen Shengyou Network Co, and the offending title '801?????'.