We have uncovered a new Android Trojan that uses several techniques to hide itself on devices, and remain in the Google Play Store. The malicious app collects device information and displays advertisements. However the functionality and behavior of this app could be easily extended to a wide range of other malicious purposes.

The malware (Android.Doublehidden) is localized in the Persian language. Its name translates to ‘Photograph by Fiery’ and it has a package name of com.aseee.apptec.treeapp.

The pattern of availability of this malicious app on Google Play suggests the author is attempting to remain under the radar. During October and November 2017, the app has been updated five times, alternating between a working legitimate photo editing app, and this self-hiding malicious non-app. As far as we can tell, the app developer ‘i.r.r developer’ publishes several other apps which are legitimate.