{
	"id": "70416cb8-02ba-4b74-991f-3f1d4b14ceea",
	"created_at": "2026-04-06T00:16:29.070629Z",
	"updated_at": "2026-04-10T03:30:33.403389Z",
	"deleted_at": null,
	"sha1_hash": "717ee8c7724314f252eb2e5a88edaac7f0afe380",
	"title": "GPlayed Trojan - .Net playing with Google Market",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1150453,
	"plain_text": "GPlayed Trojan - .Net playing with Google Market\r\nBy Vitor Ventura\r\nPublished: 2018-10-11 · Archived: 2026-04-05 19:16:25 UTC\r\nThursday, October 11, 2018 09:06\r\nThis blog post is authored byVitor Ventura.\r\nIntroduction\r\nIn a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives\r\nmore and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has\r\nidentified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed \"GPlayed.\"\r\nThis is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective\r\ntool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label\r\n\"Google Play Marketplace\" to disguise itself.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 1 of 12\n\nThe malicious application is on the left-hand side.\r\nWhat makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this\r\nadaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET\r\ncode that can be executed. Our analysis indicates that this trojan is in its testing stage but given its potential, every\r\nmobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores\r\nand instead want to deliver their software directly through their own means. But GPlayed is an example of where\r\nthis can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.\r\nTrojan architecture and capabilities\r\nThis malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called\r\n\"Reznov.DLL.\" This DLL contains one root class called \"eClient,\" which is the core of the trojan. The imports\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 2 of 12\n\nreveal the use of a second DLL called \"eCommon.dll.\" We determined that the \"eCommon\" file contains support\r\ncode and structures that are platform independent. The main DLL also contains eClient subclasses that implement\r\nsome of the native capabilities.\r\nThe package certificate is issued under the package name, which also resembles the name of the main DLL name.\r\nCertificate information\r\nThe Android package is named \"verReznov.Coampany.\" The application uses the label \"Installer\" and its name is\r\n\"android.app.Application.\"\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 3 of 12\n\nPackage permissions\r\nThe trojan declares numerous permissions in the manifest, from which we should highlight the\r\nBIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.\r\nThis trojan is highly evolved in its design. It has modular architecture implemented in the form of plugins, or it\r\ncan receive new .NET source code, which will be compiled on the device in runtime.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 4 of 12\n\nInitialization of the compiler object\r\nThe plugins can be added in runtime, or they can be added as a package resource at packaging time. This means\r\nthat the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package\r\non the device.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 5 of 12\n\nTrojan native capabilities\r\nThis is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This\r\nmeans that the malware can do anything from harvest the user's banking credentials, to monitoring the device's\r\nlocation. There are several indicators (see section \"trojan activity\" below) that it is in its last stages of\r\ndevelopment, but it has the potential to be a serious threat.\r\nTrojan details\r\nUpon boot, the trojan will start by populating a shared preferences file with the configuration it has on its internal\r\nstructures. Afterward, it will start several timers to execute different tasks. The first timer will be fired on the\r\nconfigured interval (20 seconds in this case), pinging the command and control (C2) server. The response can\r\neither be a simple \"OK,\" or can be a request to perform some action on the device. The second timer will run\r\nevery five seconds and it will try to enable the WiFi if it's disabled. The third timer will fire every 10 seconds and\r\nwill attempt to register the device into the C2 and register wake-up locks on the system to control the device's\r\nstatus.\r\nDuring the trojan registration stage, the trojan exfiltrates private information such as the phone's model, IMEI,\r\nphone number and country. It will also report the version of Android that the phone is running and any additional\r\ncapabilities.\r\nDevice registration\r\nThis is the last of the three main timers that are created. The trojan will register the SMS handler, which will\r\nforward the contents and the sender of all of the SMS messages on the phone to the C2.\r\nThe final step in the trojan's initialization is the escalation and maintenance of privileges in the device. This is\r\ndone both by requesting admin privileges on the device and asking the user to allow the application to access the\r\ndevice's settings.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 6 of 12\n\nPrivilege escalation requests\r\nThe screens asking for the user's approval won't close unless the user approves the privilege escalation. If the user\r\ncloses the windows, they will appear again due to the timer configuration.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 7 of 12\n\nAfter the installation of the trojan, it will wait randomly between three and five minutes to activate one of the\r\nnative capabilities — these are implemented on the eClient subclass called \"GoogleCC.\" This class will open a\r\nWebView with a Google-themed page asking for payment in order to use the Google services. This will take the\r\nuser through several steps until it collects all the necessary credit card information, which will be checked online\r\nand exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is\r\nrequested to the user.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 8 of 12\n\nSteps to request the user's credit card information\r\nIn our sample configuration, the request for the views above cannot be canceled or removed from the screen —\r\nbehaving just like a screen lock that won't be disabled without providing credit card information.\r\nAll communication with the C2 is done over HTTP. It will use either a standard web request or it will write data\r\ninto a web socket if the first method fails. The C2 can also use WebSocket as a backup communication channel.\r\nBefore sending any data to the C2 using the trojan attempts to disguise its data, the data is serialized using JSON,\r\nwhich is then encoded in Base64. However, the trojan replaces the '=' by 'AAAZZZXXX', the '+' by '|' and the '/'\r\nby '.' to disguise the Base64.\r\nRequest encoding process\r\nThe HTTP requests follow the format below, while on the WebSocket only the query data is written.\r\n\u003cserver path\u003e?q=\u003cIMEI\u003e-\u003cREQUEST CODE\u003e:\u003cObfuscated Base64 encoded data\u003e\r\nAs is common with trojans, the communication is always initiated by the trojan on the device to the C2. The\r\nrequest codes are actually replies to the C2 action requests, which are actually called \"responses.\" There are 27\r\nresponse codes that the C2 can use to make requests to the trojan, which pretty much match what's listed in the\r\ncapabilities section.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 9 of 12\n\nError\r\nRegistration\r\nOk\r\nEmpty\r\nSendSMS\r\nRequestGoogleCC\r\nWipe\r\nOpenBrowser\r\nSendUSSD\r\nRequestSMSList\r\nRequestAppList\r\nRequestLocation\r\nShowNotification\r\nSetLockPassword\r\nLockNow\r\nMuteSound\r\nLoadScript\r\nLoadPlugin\r\nServerChange\r\nStartApp\r\nCallPhone\r\nSetPingTimer\r\nSMSBroadcast\r\nRequestContacts\r\nAddInject\r\nRemoveInject\r\nEvaluate\r\nAnother feature of this trojan is the ability to register injects, which are JavaScript snippets of code. These will be\r\nexecuted in a WebView object created by the trojan. This gives the operators the capability to trick the user into\r\naccessing any site while stealing the user's cookies or forging form fields, like account numbers or phone\r\nnumbers.\r\nTrojan activity At the time of the writing of this post, all URLs (see IOC section) found on the\r\nsample were inactive, and it does not seem to be widespread. There are some indicators that this\r\nsample is just a test sample on its final stages of development. There are several strings and labels\r\nstill mentioning 'test' or 'testcc' — even the URL used for the credit card data exfiltration is\r\nnamed \"testcc.php.\"\r\nDebug information on logcat\r\nAnother indicator is the amount of debugging information the trojan is still generating — a production-level trojan\r\nwould keep its logging to a minimum.\r\nThe only sample was found on public repositories and almost seemed to indicate a test run to determine the\r\ndetection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms,\r\nonce as a package and once for each DLL to determine the detection ratio. The sample analyzed was targeted at\r\nRussian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 10 of 12\n\ntrojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy.\r\nThe wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a\r\nransomware. This makes it impossible to create a target profile.\r\nConclusion\r\nThis trojan shows a new path for threats to evolve. Having the ability to move code from desktops to mobile\r\nplatforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats\r\nfaster and with fewer resources involved than ever before. This trojan's design and implementation is of an\r\nuncommonly high level, making it a dangerous threat. These kinds of threats will become more common, as more\r\nand more companies decide to publish their software directly to consumers.\r\nThere have been several recent examples of companies choosing to release their software directly to consumers,\r\nbypassing traditional storefronts. The average user might not have the necessary skills to distinguish legitimate\r\nsites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on\r\ndesktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just\r\nmeans attackers will continue to be successful.\r\nCoverage Additional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW),Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 11 of 12\n\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of compromise (IOC)\r\nURLs\r\nhxxp://5.9.33.226:5416\r\nhxxp://172.110.10.171:85/testcc.php\r\nhxxp://sub1.tdsworker.ru:5555/3ds/\r\nHash values\r\nPackage.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f\r\neCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1\r\nReznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3\r\nCustom activity prefix\r\ncom.cact.CAct\r\nSource: https://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nhttps://blog.talosintelligence.com/2018/10/gplayedtrojan.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
	],
	"report_names": [
		"gplayedtrojan.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434589,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/717ee8c7724314f252eb2e5a88edaac7f0afe380.pdf",
		"text": "https://archive.orkl.eu/717ee8c7724314f252eb2e5a88edaac7f0afe380.txt",
		"img": "https://archive.orkl.eu/717ee8c7724314f252eb2e5a88edaac7f0afe380.jpg"
	}
}