Watch out! New army of malicious apps infiltrates Google Play Store

Watch out! New army of malicious apps infiltrates Google Play Store

36 mobile security apps on Play Store caught stealing user data

Security researchers at ESET have identified a new set of malicious apps that has infiltrated the Google Play Store and these apps are nothing but legitimate-looking multi-stage Android malware.

The new set of malicious apps do not request suspicious permissions and bypass Google Play Store’s security controls to infiltrate mobile devices.

The Google Play Store has played host to a large number of malicious apps over and years and despite Google’s best efforts to weed out such apps, hackers have been pushing in more sophisticated apps that have the ability to bypass Google’s strict security controls as well as the eyes of security-conscious users.

Researchers at security firm ESET have observed the arrival of a new army of malicious apps that are nothing but legitimate-looking multi-stage Android malware. These apps feature delayed onset of malicious activity as well as advanced anti-detection features like multi-stage architecture and encryption and multi-stage payload delivery which is invisible to users.

The researchers reported eight such apps to Google’s security team following which they were removed from the Play Store. However, the possibility of similar malicious apps still hiding in the Play Store cannot be discounted. Malicious apps discovered by the researchers included two performance optimising apps, three Word News apps, and a MEX Tools app.

According to the researchers, once a malicious app is downloaded by a user, it does not request any suspicious permissions and even mimics the activity usually expected from ordinary apps. After this, it decrypts and executes a first-stage payload which in turn, decrypts and executes the second-stage payload, and these steps are invisible to the user.

‘The second-stage payload contains a hardcoded URL, from which it downloads another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user is prompted to install the downloaded app.

‘The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions,’ they added.

The third-stage payload then decrypts and executes the final payload which is, in fact, a mobile banking trojan with the sole aim of stealing credentials or credit card details. The URL used by the app for the final payload delivery was used almost 3000 times by such apps.

Earlier this year, hackers were able to defeat Google Play’s built-in anti-malware protections by encrypting malicious code while including malware in Android apps. The set of 50 malicious apps, dubbed ‘ExpensiveWall‘, were downloaded between 1 million and 4.2 million times by Android users across the world before being flagged by security firm Check Point.

Millions of victims were unaware of the malware’s presence on their devices as it conned them out of precious money. The researchers warned that even though the apps are no longer in play, the malware continues to be present on user devices and remains a threat to millions of users.

Following the discovery of the new set of malicious apps, researchers at ESET said that since it is easier for multi-stage Android malware to sneak into official app stores, Android device users should not rely fully on the stores’ protections.

‘It’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,’ they added.

Copyright Lyonsdown Limited 2021

Top Articles

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Ransomware attacks and the future role of the CISO - teissTalk

On 18 May, teissTalk host Jenny Radcliffe was joined by a panel of four cybersecurity experts in a wide-ranging discussion that covered government actions, ransomware attacks and the future of…

Communicating a Data Breach: Best Practices

When customers trust you with their personal data, they are expecting it to be protected. This means your response to a data breach is imperative and can make or break…

Related Articles

[s2Member-Login login_redirect=”” /]