Security researchers at ESET have identified a new set of malicious apps that has infiltrated the Google Play Store and these apps are nothing but legitimate-looking multi-stage Android malware.
The new set of malicious apps do not request suspicious permissions and bypass Google Play Store’s security controls to infiltrate mobile devices.
The Google Play Store has played host to a large number of malicious apps over and years and despite Google’s best efforts to weed out such apps, hackers have been pushing in more sophisticated apps that have the ability to bypass Google’s strict security controls as well as the eyes of security-conscious users.
Researchers at security firm ESET have observed the arrival of a new army of malicious apps that are nothing but legitimate-looking multi-stage Android malware. These apps feature delayed onset of malicious activity as well as advanced anti-detection features like multi-stage architecture and encryption and multi-stage payload delivery which is invisible to users.
The researchers reported eight such apps to Google’s security team following which they were removed from the Play Store. However, the possibility of similar malicious apps still hiding in the Play Store cannot be discounted. Malicious apps discovered by the researchers included two performance optimising apps, three Word News apps, and a MEX Tools app.
According to the researchers, once a malicious app is downloaded by a user, it does not request any suspicious permissions and even mimics the activity usually expected from ordinary apps. After this, it decrypts and executes a first-stage payload which in turn, decrypts and executes the second-stage payload, and these steps are invisible to the user.
‘The second-stage payload contains a hardcoded URL, from which it downloads another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user is prompted to install the downloaded app.
‘The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions,’ they added.
The third-stage payload then decrypts and executes the final payload which is, in fact, a mobile banking trojan with the sole aim of stealing credentials or credit card details. The URL used by the app for the final payload delivery was used almost 3000 times by such apps.
Earlier this year, hackers were able to defeat Google Play’s built-in anti-malware protections by encrypting malicious code while including malware in Android apps. The set of 50 malicious apps, dubbed ‘ExpensiveWall‘, were downloaded between 1 million and 4.2 million times by Android users across the world before being flagged by security firm Check Point.
Millions of victims were unaware of the malware’s presence on their devices as it conned them out of precious money. The researchers warned that even though the apps are no longer in play, the malware continues to be present on user devices and remains a threat to millions of users.
Following the discovery of the new set of malicious apps, researchers at ESET said that since it is easier for multi-stage Android malware to sneak into official app stores, Android device users should not rely fully on the stores’ protections.
‘It’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,’ they added.