Researchers at Check Point have uncovered a new variant that is being served up via gaming apps on the Microsoft Store. The malware has been dubbed Electron Bot and is currently focused on social media promotion and click fraud. Once the trojanized game is downloaded from the Microsoft Store and launched, the malware executes the 2nd stage. In most cases this is via a JavaScript which drops the payload onto the now infected machine.
As mentioned before the current version is click fraud and social media manipulation. To accomplish this, it opens a hidden browser where it directs traffic to content, clicks on ads, and can even control and create social media accounts. It can create a Facebook account, like and comment on posts all to generate revenue for items they are pushing.
As part of their evasion techniques, the poisoned game grabs and loads the current malware from its C2 servers at run time. This makes it a bit harder to detect when static on the device. It also adds a level of persistence and modularity. The developers can change the payload anytime they want to deploy ransomware or another tool. The malware also performs a quick check for common anti-malware software.
Pushing malware through app stores relies on the misconception that apps found in the store are checked and safe. This is just not true anymore and never has been. Although there are systems in place to check an app before it is uploaded, there are way too many ways to get around these systems and still get the malware in the store. We have seen this at its worst in the Google Play Store, but you can find it in other stores as well.
As malware hidden in App stores increases in prevalence and sophistication, we advise caution when downloading and installing anything. We also highly recommend the use of an anti-malware solution on your mobile devices and desktops/laptops. The consumer market might not have the same level of protection that the corporate world does but having something is better than nothing.