How Does The Attack Work?

A device is infected when a user downloads an infected application onto their device or clicks a malicious link in a phishing email, Check Point said. Check Point said it has found traces of the malware on "dozens of legitimate-looking apps" on third-party app stores (it has compiled a list of known infected apps on its blog). It was first discovered in the malicious SnapPea backup application. Once infected, the malware sends data and device to a Command and Control server, downloads a rootkit and can then take full control of the device and execute commands, such as stealing an email account, authentication token information, installing apps, and installing adware. Check Point said it appears that attackers are funding the campaign by simulating clicks on app advertisements and leaving positive reviews and high ratings, leading to further app sales.