Malicious Apps And Malware Bounce Back Into Google Play
A set of malicious applications, which host a malware that was earlier detected and removed from Google Play, has now reappeared, posing a fresh threat to Android security.
Security researchers at Symantec have spotted seven malicious apps that hide within them a malware that helps hackers make some money. A Symantec blog post that discusses the issue says- “The Google Play app store has a reputation as the safest place online to get Android apps, and Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings…We’ve encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed. The same code was published on Google Play with a slightly different name under a new publisher.”
The blog explains how the malware appears hidden in seven apps that seem to be offering interesting features. It says- “This malware (Android.Reputation.1) appears on the Play Store hidden in at least seven apps in the U.S. offering fun, useful, and sometimes insidious features. These include emoji keyboard additions, space cleaners, calculators, app lockers, and call recorders. None of the samples we analyzed actually functioned as advertised on their Google Play pages. Once the app is installed, it takes various measures to stay on the device, disappear, and erase its tracks.”
The malware is configured so as to wait for four hours before it launches its malicious activity. Thus it slips past the Google Play security and also gives the user a false sense of security about the app. Even if the user notices the device acting in a suspicious manner, he might not suspect the “true culprit”.
Once the malware is activated, it seeks to consolidate its position on the device by asking for administrative privileges; thus the malware can do what it needs to do and the malicious app that hosts it would cement its hold on the device as well. The hackers also use an official Google Play icon to make the request look genuine.
The malware works by delivering adware, which are pushed to the phone via Google Mobile Services. URLs that redirect the user to fake “you won” pages are launched on the phone in web views. The Symantec blog post says- “This configuration takes advantage of the legitimate and ubiquitous “Firebase Messaging” service, copying yet another service into a command and control (C&C) service.”
Symantec researchers have also detected 38 other malicious apps that have entered Google Play store in December, posing to be games and education apps, but in reality being malicious.
Users can protect themselves from this malware and other malware/malicious apps by following certain basic security guidelines. These include keeping software up to date, downloading and installing apps only from known sources, being careful about granting permissions to apps, installing Android security apps and having regular backups of data.