Cybersecurity researchers have discovered a new trojan that hijacks unsuspecting Android user accounts in order to leave fake reviews on websites and app stores.

The team at Kaspersky Lab published a report last week about the malware ‘Trojan-Dropper.AndroidOS.Shopper.a’ – also known as Shopper.

Shopper posts fake reviews to the Google Play store promoting dodgy apps, can register users to other shopping apps like Alibaba, and even download potentially malicious apps from third-party app stores.

Malware analyst, Igor Golovin, warned that fake reviews are only the tip of the iceberg for this trojan.

“Despite the fact that at the moment, the real danger stemming from this malicious app is limited to unsolicited ads, fake reviews and ratings issued in the name of the victim, no one can guarantee that the creators of this malware will not change their payload to something else,” Golovin said.

“For now, the focus of this malicious app is on retail, but its capabilities enable attackers to spread fake information via users’ social media accounts and other platforms.

“For example, it could automatically share videos containing whatever the operators behind Shopper would want on personal pages of users accounts and just flood the internet with unreliable information.”

Something seems off about some of these reviews. Source: Kaspersky

Kaspersky is not sure how the malware spreads but suspects it could be via fake ads or apps that are installed through third-party stores.

Once the malware has made its way onto an Android device, Shopper uses Google Accessibility Services – an otherwise helpful Android feature – to control the device without the user noticing.

Google Accessibility services are designed to enhance the function of Google products for people living with disabilities. For example, Google Accessiblity can read app content aloud, send it to a braille display, automate features of the Android OS, or emulate physical device buttons that have stopped working.

But in the hands of bad actors, the disability-focused features can go rogue.

If Shopper isn’t given automatic AccessibilityService rights after activating, it will instead send phishing requests in the form of a message that says “Warning! This phone is at risk, please open this access [sic] to ensure safe use”.

Some of the code used to phish AccessibilityServices rights. Source: Kaspersky

“Once it has the permission to use the service, the malware can gain almost unlimited opportunities to interact with the system interface and applications,” Kaspersky said in its write-up about Shopper.

“It can capture data featured on the screen, press buttons and even emulate user gestures.”

Android users have been prime targets of late, with the Joker trojan and a WhatsApp impersonator troubling users last year.

Golgovin warns that the easiest way to stay free of malware is to be careful installing apps from unauthorised sources.

“If access is requested by a program whose functionality does not require AccessibilityService, be wary,” he said.

“And the best option is not to install apps from dubious sources at all, including from ads, whatever they promise.”