Android malware beats Google, returns to Play Store with just a name change

All of these apps have the same set of tricks designed to take advantage of the device user, including:

1) Waiting before undertaking the scam. The malware is configured to wait for four hours before launching its malicious activity, so as not to arouse user suspicion straight away. If the user isn’t tipped off right after app installation, they’re less likely to attribute strange behavior to the true culprit.

2) Requesting admin privileges. The app is looking to raise the barrier for its uninstallation and is usurping trusted branding to pull it off. The app uses the Google Play icon when requesting device administrator privileges.

3) Keeping the victim in the dark. The app has the ability to change its launcher icon and its “running apps” icon in the system settings once installed. Again, it uses well-known and trusted icons—specifically that of Google Play and Google Maps—to allay suspicion.

4) Delivering content to the device for profit. It should be noted that this is highly configurable and extensible. Currently, ads are pushed to the phone via Google Mobile Services, and URLs are launched in web views that redirect to the kinds of “you won” scam pages that we’ve outlined in a previous blog.

This configuration takes advantage of the legitimate and ubiquitous “Firebase Messaging” service, copying yet another service into a command and control (C&C) service.

Although malware appearing on Google Play leads the field in sophistication, there are patterns apparent. The package names we’ve seen reappearing on the Play store are a weak point in the evasion that’s being used: