Researchers at Dr. Web have discovered a new Trojan lurking inside over 60 games in the Google Play store. The games are being distributed by more than 30 developers, including Conexagon Studio, Fun Color Games and BILLAPPS. The main purpose of the Trojan, dubbed Android.Xiny.19.origin, is to create a backdoor on the affected mobile device to download and run additional malicious programs at the cybercriminal’s command. The Trojan appears to do this in the background as the user plays the affected game. 

Once installed, this virus collects the following information about the mobile device: the IMEI and MAC addresses (unique device identifiers), the operating system version, the current language, and mobile network provider name. Additionally, the Trojan also gathers information about the accessibility of memory cards and, in addition to downloading and installing additional malware, it can also delete applications without the user’s knowledge if root access is available on the infected device. It can also, less maliciously, be used to display advertisements.

The researchers report that, “To masquerade the malicious program, virus makers hid it in specially created images by applying steganography.” Steganography is the technique of embedding malicious computer code into media, in this case pictures, to hide the infection from antivirus programs. In the case of Android.Xiny.19.origin, the code embedded in the images retrieves a hidden file and then executes it. The technique of steganography dates back to ancient Greece, when people wrote secret messages on wood and covered them with beeswax so that the recipient could discover them by removing the layer of wax.

At the time of this writing, the affected games are still available in the Google Play store.