PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Mobile Threat Monday: Operation Malware Drop

Jordan Minor
 & Jordan Minor Principal Writer, Software

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

It goes without saying that we here at PCMag have no respect for people who create malware. Technology should improve your life, but these criminals use their technical knowledge to make life worse for their victims. With that said, sometimes you can't help but morbidly admire how complex a malicious program is and the lengths it goes to in order to infect your device. Take for example this week's mobile threat tip from Malwarebytes. Once this app gets on your Android phone, it creates even more malware apps of its own.

Shell Game

What makes Trojan.Dropper.RealShell so threatening, and so like an Xzibit meme, is how the malicious Android Application Package (APK) contains even more APKs within its APKs. Confused already? Let's start at the first level. Inside RealShell is an asset folder full of files. On their own those files are random and powerless. But after RealShell is installed, it rearranges those files in a set order to create a single .lock file. According to Malwarebytes "this method obfuscates the malicious app's intentions." Pretty sneaky, sis. 

The .lock file then becomes its own APK, and like any newborn baby, it relies heavily on its parent since it can't do much on its own. The new APK first downloads resources from the original app. Using Android class DexClassLoader, it can then write and execute new code through the original app without having to install anything. Things only get trickier from there.

With the new code, the original APK transforms into yet another new app that creates, you guessed it, yet another APK. By accessing its special libraries, the parent app creates PUP.RiskPay.Skymobi, a typical SMS payment scam SDK. That seems to be the farthest this rabbit hole goes, at least for now.

Staying Safe

Thanks to its twisting tendrils of apps within apps, Trojan.Dropper.RealShell is probably even more difficult to identify and remove than it is to succinctly describe. Fortunately, despite its cunning obfuscation techniques, it hasn't finagled its way onto the Google Play store, so as long as you stick to downloading your Android apps directly from there you should be fine. The malware also originates from China, so steer clear of suspicious apps that appear to be from that region. For a more detailed overview of Trojan.Dropper.RealShell check out this post on the Malwarebytes blog.

Smartphones are the new malware frontier, and malware is only going to get more powerful, complicated, and ruthless to achieve the goals of its hacker creators. RealShell is just the latest example. That's why you need Android security products if you're going to keep up, and vendors like Malwarebytes and Editors' Choice winners Avast and Bitdefender are all great places to start looking. 

 

About Our Expert

Jordan Minor

Jordan Minor

Principal Writer, Software

My PCMag career began in 2013 as an intern. Now, I'm a senior writer, using the skills I acquired at Northwestern University to write about dating apps, meal kits, programming software, website builders, video streaming services, and video games. I was previously a senior editor at Geek.com and have written for The A.V. Club, Kotaku, and Paste Magazine. I'm the author of the gaming history book Video Game of the Year: A Year-by-Year Guide to the Best, Boldest, and Most Bizarre Games from Every Year Since 1977, and the reason everything you know about Street Sharks is a lie.

The Technology I Use

I use the newest Android and iOS smartphones for testing, but I currently use an iPhone 14 as my personal phone. I just hate that we gave up headphone jacks.

I've always favored gaming laptops over desktops. On that note, I have a 16-inch HP Envy with an Intel Core i9-13900H CPU and Nvidia GeForce RTX 4060 GPU. No matter what machine I’m working on, an alarming amount of my personal and professional life revolves around cloud-synced Google Drive files.

For food subscriptions, my household sticks with CookUnity and HelloFresh for meals. Video streaming is a bit more complicated. While there are too many services to list, we're subscribed to most of the major ones. These days, I find myself drawn to HBO Max's movies and shows, as well as Peacock's reality trash.

I've been a lifelong Nintendo fan, and I sincerely believe the Nintendo Switch will go down as one of the best gaming consoles of all time. It has an unbelievable library of new and old games from Nintendo and third-party companies. The handheld/console hybrid approach makes playing games so much more flexible, a legacy that continues with the Nintendo Switch 2 and Valve’s Steam Deck.

Read the latest from Jordan Minor

Read full bio