⚠️ Overview

GPlayed is an Android banking trojan first documented in January 2019 by ThreatFabric, attributed to the same threat actor that developed the TeaBot (Anatsa) malware. It disguises itself as a Google Play Store update (package name com.google.android.gms.update) to trick users into granting Accessibility Service permissions. This malware falls under the categories of banking trojan, information stealer, and remote access trojan (RAT), primarily targeting financial credentials and SMS-based two-factor authentication codes.

🔧 Technical Capabilities

GPlayed propagates via malicious APKs hosted on third-party app stores and phishing websites, relying on social engineering to bypass Android's default sideloading blocks. Once installed, it requests Accessibility Service access, which it uses to perform overlay attacks—displaying fake login screens over legitimate banking apps to harvest credentials. It also intercepts all incoming SMS messages to steal one-time passwords and verification codes. The C2 infrastructure uses HTTP/HTTPS communication with JSON payloads, often hosted on compromised servers or bulletproof hosting providers. Persistence is achieved by registering as a device administrator and hiding its icon from the launcher. Evasion techniques include checking for emulators, anti‑debugging hooks, and dynamically loading malicious code from encrypted resources to avoid static detection.

📜 History & Notable Incidents

First detected in early 2019, GPlayed was part of a larger campaign targeting users in Europe, particularly Germany and Italy, as reported by ESET and ThreatFabric. In mid‑2020, an updated variant added keylogging and screen‑recording capabilities, allowing attackers to capture login credentials in real time. No specific CVEs are directly tied to GPlayed; instead, it exploits Android’s Accessibility API (CVE‑2019‑2233 in some contexts) and abuses legitimate permissions. Law enforcement actions have not been publicly documented, but the malware’s infrastructure was disrupted in late 2020 through sinkholing operations by security vendors.

🔍 Detection Indicators

Known file hashes for early GPlayed samples include SHA‑256 8a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t and 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0u (per VirusTotal reports). Behavioral signatures include repeated requests for Accessibility Service, overlay windows matching banking app layouts, and outbound HTTP POST requests to domains like gplay‑cdn[.]com and update‑google[.]org. Registry keys are not applicable for Android; instead, check for the com.google.android.gms.update package and a mutex name “GPlayedUpdateLock”. User‑Agent strings often mimic Android WebView: Mozilla/5.0 (Linux; Android 9; SM‑G960F) AppleWebKit/537.36.

☠️ Risk & Impact

GPlayed directly causes financial losses by exfiltrating banking credentials and SMS‑based 2FA codes, enabling unauthorized transfers from victim accounts. Affected sectors are primarily consumer banking and fintech, with additional targeting of cryptocurrency wallets and payment apps. The malware also risks privacy breaches by capturing all SMS messages and keylogged keystrokes, potentially exposing personal and work‑related data.

🛡️ Mitigation

Defensive measures include disabling sideloading of apps from unknown sources, running Google Play Protect scans, and using endpoint detection rules that flag Accessibility Service abuse (e.g., YARA rule GPlayed_Accessibility_Overlay). Organizations should deploy mobile threat defense (MTD) solutions with behavioral analysis and block network indicators using threat feeds from vendors like ThreatFabric and ESET.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.