Skip to main

Woburn, MA, August 31, 2016Kaspersky Lab experts have discovered an Android Trojan called Guerilla, which attempts to overcome the Google Play Store anti-fraud protection mechanisms. It uses a rogue Google Play client application that behaves as if there was a real human behind it. This fake app allows attackers to conduct shady advertisement campaigns using infected devices to download, install, rate and comment on the mobile applications published on Google Play. The malware is only capable of abusing Google Play mechanisms from rooted devices.

As a platform for millions of users and software developers, Google Play is an attractive target for cybercriminals. Among other things, cybercriminals use the Google Play Store to conduct so-called Shuabang campaigns, which are widespread in China. These are fraudulent advertisement activities aimed at promoting some legitimate apps by granting them the highest rates, increasing their download rates and posting positive comments about them on Google Play. The apps used to conduct these advertisement campaigns usually do not pose any “standard” threat to the owner of an infected device, such as data or money stealing, but they can still do harm: the ability to download additional apps on the infected device results in extra charges for mobile Internet traffic, and in some cases Shuabang apps are capable of covertly installing paid programs, along with free ones, using the bank card attached to the victim’s Google Play account as the payment method.

To conduct these campaigns, criminals create multiple fake Google Play accounts or infect user devices with special malware, which covertly performs actions on Google Play, based on the commands received from hackers.

Although Google has strong protection mechanisms, which help detect and block fake users to prevent fraudulent operations, the authors of the Guerilla Trojan seem to be trying to overcome them.

The Trojan is delivered to the targeted device through Leech rootkit – a malware that gives an attacker user privileges over the infected device. These privileges give the attacker unlimited opportunities to manipulate the data on the device. Among other things it gives them access to the victim’s username, passwords and authentication tokens, which are mandatory for an app to communicate with official Google services, and are inaccessible to ordinary applications on non-rooted devices. After installation, the Guerilla Trojan uses this data to communicate with the Google Play Store as if it was a real Google Play app.

The criminals are very cautious: they are careful enough to use the authentication data of a real user, and they also make requests from the fake client application, to Google Play, look exactly like requests that the real app would issue.

Another unusual thing about this Trojan is that malware writers have tried to mimic the way an actual user interacts with the store. For instance, before it requests a page where a particular app is hosted, it searches for an app of interest, like a human would, should they need to find an app.

“Guerilla is not the first malicious app that tries to manipulate the Google Play store, but it does it in a pretty sophisticated way that we haven’t seen before. The thinking behind this method is clear: Google can probably easily distinguish requests to Google Play that were made by robots – most of the Shuabang malware we know about just automatically sends out requests for the particular page of a particular app. This isn’t something that a real human would do, so it is easy for Google to see that the request is not really from an authorized user. The malware that searches an app before it goes to the app’s page is much harder to detect, as this is how most of Google Play users behave. It is important to note, however, that this malware is only capable of abusing Google Play mechanisms from rooted devices, which again reminds us of how important it is to avoid using rooted Android smartphones and tablets,” said Nikita Buchka, security expert at Kaspersky Lab.

Kaspersky Lab products detect the Guerilla malware as: Trojan.AndroidOS.Guerrilla.a.

In order to protect yourself and your mobile device from the malware that targets Android-based devices, Kaspersky Lab’s experts advise the following:

- Restrict the installation of apps from sources different from official app stores

- Use proven protection solutions to defend your Android-based device from malware and other cyberthreats

- Don’t root your Android device

To learn more about methods that cybercriminals use to abuse Google Play Store, read the blog post available at

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Susan Rivera

Like a Human: Malware Learns How to Act to Bypass the Anti-Fraud Mechanisms of the Google Play Store

Kaspersky Lab experts have discovered an Android Trojan called Guerilla, which attempts to overcome the Google Play Store anti-fraud protection mechanisms.
Kaspersky Logo