Not again. Google Play found to host malicious Android apps that seem legitimate, but install a mobile banking trojan
Google’s app vetting process is once again facing questions after security researchers uncovered another set of malicious apps on the official Android app store.
ESET detected eight malicious apps as Android/TrojanDropper.Agent.BKY on Google Play. The apps were apparently legitimate-looking and included a ‘Cleaner for Android’ and ‘World News’ app.
This is not the first time that Google Play has been found to be hosting malicious apps, and the discovery will once again raise concerns over the ability of these rogue apps to bypass Google Play’s protection mechanisms.
According to ESET, on the surface the eight apps did not request any suspicious permissions. Indeed, they even mimicked the activity the user expects them to exhibit.
But in reality these apps download another malicious app without the users knowledge, and after a five minute delay, the user is prompted to install the downloaded app, which disguises a mobile banking trojan.
“The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example ‘Android Update’ or ‘Adobe Update’,” warned ESET. “In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions.”
This multi-stage malware did not get chance to spread far, as ESET said that they had only been downloaded a few hundred times.
“We have discovered eight apps of this malware family on Google Play and notified Google’s security team about the issue,” added ESET. “Google has removed all eight apps from its store; users with Google Play Protect enabled are protected via this mechanism.”
But ESET said that malicious apps are interesting due to their advanced anti-detection features and their multi-stage architecture and encryption, all of which helped the apps remain under the radar.
“In all the cases we investigated, the final payload was a mobile banking trojan,” said ESET. “Once installed, it behaves like a typical malicious app of this kind: it may present the user with fake login forms to steal credentials or credit card details.”
ESET advised any worried users to deactivate admin rights for the installed payload, uninstall the surreptitiously-installed payload and uninstall the app downloaded from the Play Store.
“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does,” said ESET.
“Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.”
For many years Google has been facing questions over its app vetting process on the Google Play store.
Earlier this month for example a mobile app pretending to be WhatsApp was downloaded more than 1 million times before Google removed it.
And in April ESET discovered a PayPal credential stealing fake Android app, masquerading as a service to generate money from watching in-app YouTube videos.
Last year Trend Micro found DressCode malware that allows attackers to infiltrate organisations’ internal networks on hundreds of applications in Google Play.
Google for its part in July this year started to roll out its Play Protect security features to Android, designed to give users more transparent and robust security for their smartphones and tablets.