Cisco Talos published its findings on a new Android trojan known as “GPlayed” on Oct. 11. At the time, we wrote that the trojan seemed to be in the testing stages of development, based on the malware’s code patterns, strings and telemetry visibility. Since then, we discovered that there’s already a predecessor to GPlayed, which we are calling “GPlayed Banking.” Unlike the first version of GPlayed, this is not an all-encompassing banking trojan. It is specifically a banking trojan that’s looking to target Sberbank AutoPay users, a service offered by the Russian state-owned bank.
GPlayed Banking is spread in a similar way to the original GPlayed. It’s disguised as a fake Google app store, but actually installs the malware once it’s launched. This further illustrates the point that Android users need to be educated on how to spot a malicious app, and that they should be careful as to what privileges they assign to certain programs.