Malicious apps on Google Play: how threat actors use the DNS protocol to covertly connect trojans to C&C servers

This Dr.Web report analyzes Android.FakeApp.1669, a family of Android trojans distributed via Google Play (collective downloads reported over ~2.16M) that use a modified dnsjava library to request DNS TXT records from attacker-controlled DNS servers; the TXT records contain per-device, encoded configuration that causes the app to load malicious web content (redirect chains to online casino sites) inside a WebView when the device is on targeted ISPs, while presenting normal app functionality otherwise. The report documents affected app names and download counts, the DNS-based configuration decoding steps, device metadata encoded in subdomains, example IoCs, and notes that Dr.Web detects and removes known variants.