Cyber security researchers from ESET have discovered that a Turkish alternative to Android’s Google Play Store, Cepkutusu.com, has been spreading malware masquerading as Android apps.
ESET found that when users tried to download any app from Cepkutusu.com they were redirected to a site that downloaded malware disguised in the form of an installer for Adobe Flash Player for Android.
“Probably to increase their chances to stay under the radar longer, they introduced a seven-day window of not serving malware after a malicious download,” he explained.
“In practice, after the user downloads the infected app, a cookie is set to prevent the malicious system from prevailing, leading to the user being served clean links for the next seven days. After this period passes, the user gets redirected to the malware once they try to download any application from the store.”
However, once the malware does activate is acts as a banking trojan, where it is able to intercemt SMS messages to bypass two-step verification and can install other apps and display fake activity.
Cepkutusu.com was alerted to the malware and has since stopped the malicious activity. Though the source of the malware is not currently known, it could potentially be an insider attack carried out by a malicious employee at Cepkutusu.com or an external attack using the store as an attack vector.
Of course, there is potential that Cepkutusu.com was set up deliberately to spread malware.
The best way to avoid such malware is to only use apps that are on the official Google Play Store and even then proceed with caution and make use of Google Play Protect security service, as some apps can contain malware than can snake its way on to the Play Store.