Android malware beats Google, returns to Play Store with just a name change

Google has recently acted tough to rid its app store of malware, however it’s apparent there’s still some work to do. Symantec recently discovered seven previously removed rogue apps that resurfaced on Google Play simply by using a new publisher and new app names.

The apps coming in new titles that masqueraded as productivity apps and would even use official Google imagery to hide their origins, but would push ads and scam websites if they were allowed to stay for four hours.

All of these apps have the same set of tricks designed to take advantage of the device user, including:

1) Waiting before undertaking the scam. The malware is configured to wait for four hours before launching its malicious activity, so as not to arouse user suspicion straight away. If the user isn’t tipped off right after app installation, they’re less likely to attribute strange behavior to the true culprit.

Figure 1. The malware is configured to wait for four hours
Figure 1. The malware is configured to wait for four hours

2) Requesting admin privileges. The app is looking to raise the barrier for its uninstallation and is usurping trusted branding to pull it off. The app uses the Google Play icon when requesting device administrator privileges.

Figure 2. Using the Google Play icon while asking for admin privileges
Figure 2. Using the Google Play icon while asking for admin privileges

3) Keeping the victim in the dark. The app has the ability to change its launcher icon and its “running apps” icon in the system settings once installed. Again, it uses well-known and trusted icons—specifically that of Google Play and Google Maps—to allay suspicion.

Figure 3. The app changes its icon to emulate Google Maps
Figure 3. The app changes its icon to emulate Google Maps

4) Delivering content to the device for profit. It should be noted that this is highly configurable and extensible. Currently, ads are pushed to the phone via Google Mobile Services, and URLs are launched in web views that redirect to the kinds of “you won” scam pages that we’ve outlined in a previous blog.

This configuration takes advantage of the legitimate and ubiquitous “Firebase Messaging” service, copying yet another service into a command and control (C&C) service.

Although malware appearing on Google Play leads the field in sophistication, there are patterns apparent. The package names we’ve seen reappearing on the Play store are a weak point in the evasion that’s being used:

Figure 4. Package names used by the malware
Figure 4. Package names used by the malware

Mitigation

Stay protected from mobile malware by taking these precautions:

  • Keep your software up to date
  • Do not download apps from unfamiliar sites
  • Only install apps from trusted sources
  • Pay close attention to the permissions requested by apps
  • Install a suitable mobile security app, such as Norton or SEP Mobile, to protect your device and data
  • Make frequent backups of important data

Read more on Symantec

About Adanne

Leave a Reply