Despite Google’s efforts to keep its Android store risk free, malicious apps continue to make it past the verification process. In September, the assortment of trojans detected in Google Play included downloaders, bankers, adware, and spyware.
Apps in popular categories like photo editing or system utilities came with malicious components that subscribe users to premium services or steal personal information.
Downloaders and premium subscriptions
Researchers from Russian antivirus maker Doctor Web found multiple apps on Google Play posing to be games that delivered malware downloaders.
Once on the user’s device, the malware tried to install various software, some of it malicious in nature, according to instructions from the command and control server.
One game found to host the nefarious component is Motocycle Road 2D, which is currently available from third-party Android stores.
Malware belonging to a trojan family Doctor Web detects as Android.Joker was also discovered in apps on Google Play. It was embedded in software like camera plugins, photo editors, image wallpaper apps, system, and security utilities.
Cybercriminals chose apps in these categories for their popularity with Android users. However, in these cases, Google acted quickly and removed the offensive entries.
BleepingComputer asked Doctor Web for statistics regarding the number of installations for each malicious app, but the company did not reply to our request.
Nevertheless, the review count varied between five and 175, which indicates that they were not installed in large numbers. Still they were added to at least a few hundreds phones.
According to the researchers, the malware in these apps could “subscribe users to expensive services by loading websites with premium content and clicking the appropriate links without user’s knowledge,” they write in a report today.
Confirming the subscription was possible by reading the verification codes from text messages. Furthermore, the researchers say that Android.Joker also stole phone contacts and delivered them to the attackers.
A security researcher in a tweet this week pointed to two other apps that exfiltrate contact lists and leak them to an unprotected database.
These two young apps on @GooglePlay steal the users’ contact lists and leak them all (~3k unique records) via unprotected Firebase instances, mostly UAE/Pakistan/Saudi Arabia victims it seems. #Android #Malware https://t.co/6INCOHBiLE https://t.co/o1mPKjrHNr pic.twitter.com/NEGAyNeNbQ
— smtnk (@s_metanka) October 7, 2019
Bankers and spyware
Banking trojans were also discovered in apps on Google Play last month, one of them targeting Brazilian users. In one case, the malware was hidden in a mobile application advertising that it could locate family members.
The trojan would rely on Android’s Accessibility Service to swipe sensitive information from text messages, like confirmation codes. In typical banking behavior, this one also displayed phishing pages for targeted financial institutions.
Another banking trojan was found disguised as the official application for the YoBit cryptocurrency exchange. Its purpose was to steal credentials from unsuspecting users when they tried to log into the account.
After entering the login details in the fake authentication window, users would see a message saying that the service was unavailable.
Among its capabilities, the researchers count reading two-factor authentication codes from text messages and emails, as well as blocking notifications from instant messaging apps and email clients. The latter is a precaution to keep the victim unaware of the unauthorized login.
Spyware belonging to at least three families was also found on Google Play, notes Doctor Web’s research. These samples provided control over services for texting, calling, instant messaging, and could track devices.
Detection statistics from the company for September show that malicious apps that downloaded and executed code were the most common, having components from two malware families. They are followed by adware apps and backdoors.
Although Google has mechanisms that prevent malicious apps from being published on Play Store, they are not sufficiently honed to stop all risk. Besides installing apps from trusted developers, users can also stay safe by checking the reviews from others. In many cases, information from other users may help take the right decision.