A new threat seems to have come to Android, wreaking havoc discreetly and installing applications on the devices. Of course, it does not stop there and also steals user data. Skyfin, named for this new malware, arrives at Android by the most frequent infection entry point, the out-of-the-way application stores. Once infected, and using a well-known component, Android.Download, your smartphone starts a process of installing applications from the Play Store to give a higher ranking to certain applications. By committing the Play Store process, this malware can steal Android’s control and is only dedicated to doing these installations, increasing their ranking and bringing them up against Google’s lists. What’s more curious is that Skyfin does not even install applications on smartphones. It performs the normal purchase and download process of the application, placing only the application in the download folder, but indicating to the Play Store that it has been installed. This behavior allows the user not to give the infection and therefore does not detect Skyfin. This is not an abnormal behavior in this type of malware. The idea is that periodically new applications are sent to the compromised device, making this part of a network of devices that are dedicated to grow applications in the ranking of Google. It was further discovered that Skyfin can click on advertising banners, again reverting to the attacker. In addition to this, which is already negative for the smartphone, Skyfin is still stealing user data and sending it to the attacker. This is one more problem that Google can hardly solve or eliminate. The source of the problem comes from users and applications installing from external stores or APKs they find on the Internet.
Δ