While you can download Android apps from just about anywhere, it's usually safest to do it through the Google Play store. Usually. Recently, dozens of infected games have made their way past Google's malware sniffers and into the store, from which thousands of people have downloaded the titles and exposed themselves to a very nasty Trojan horse. Here's the catch: The Trojan was hidden not within the games themselves, but within the pictures the games used.
The information comes via Dr. Web, a Moscow-based security firm that produces a line of antivirus software. Researchers at the company found more than 60 infected games produced by more than 30 companies and developers you've probably never heard of (unless you're just crazy about knockoffs such Shoot the Fruit, Jurassic Shooter 3D or Hippo Simulator 3D).
As if paying for these copycat games weren't punishment enough, it turns out that the games also chock-full of harmful software in the form of the Android.Xiny.19.origin Trojan. This malicious program can install unwanted programs (mostly adware, but possibly much worse) and send a phone or tablet's IMEI identifier and MAC address to a remote server. It's not as bad as a cybercriminal getting ahold of your e-mail address and password, but it's still a way to identify and target your device for further tampering.
Infected games do make their way into Google Play now and then, but what makes this case interesting is how the Trojan evades detection. It's not bound up in a game's code, but rather in image files used by the game. The practice of hiding messages within images is known as steganography, and has been in use since at least the 15th century. By hiding malicious code within images rather than executable files, cybercriminals were able to bypass the tight security screening of Google's Bouncer software.
Dr. Web did not speculate about whether attackers had hijacked otherwise benign apps, or whether the developers had put the Trojans in themselves. Many of the infected games are still available on Google Play, though they probably won't be for long. (Publishers allegedly posting infected games included BILLAPS, Conexagon Studio and Fun Color Games; again, we don't know if the publishers were in on it.) Infection prevention is simple: If you see a shoddy "me-too" game in the store, don't bother with it, and stick to more reliable titles from proven studios.
If you've already downloaded one of the infected titles, an Android virus scan should get rid of it. It won't, however, give you back the irretrievable time you spent playing Temple Death Run with an angry Santa Claus avatar.