Skyfin is an Android Trojan that secretly downloads and purchases applications from the Google Play Store. It is spread via Trojans in the Android.DownLoader family after a user downloads a malicious file from a third-party store. The initial Trojan downloads and launches Android.Skyfin.1.origin and subsequently injects Android.Skyfin.2.origin in the process of the Google Play Store. It steals the device’s unique ID, the device owner’s account used for Google services and steals various internal authorization codes for connecting to the Google Play catalog and other sensitive data. The module sends this data to the Android.Skyfin.1.origin component, which sends the data to a C2 server with the device’s technical information. Using this data, Android.Skyfin.1.origin connects to the Google Play catalog and simulates the operation of the Play Store application to execute the following commands:

  • /search
  • /purchase
  • /commitPurchase
  • /acceptTos
  • /delivery
  • /addReview
  • /deleteReview
  • /rateReview
  • /log

The attacker specifies the application and Android.Skyfin.1.origin saves it to an SD card instead of installing it. The user, therefore, cannot see the new program on his or her home screen, increasing the odds of remaining undetected. There are several modifications of Android.Skyfin.1.origin (e.g. com.op.blinkingcamera) and a general modification that is used download any program from a list provided by the attacker. Attackers can use Skyfin to increase the popularity of certain apps within the Google Play Store and to generate revenue via click fraud on pay-per-click ads in apps.

Technical Details

  • Dr. Web provides technical details on the Skyfin Android Trojan, here.
Android MalwareNJCCICSkyfin