Two Google Play Store apps are being used by hackers as trojans to download and install additional apps without users' permissions.
The two apps were observed leveraging techniques like time delays and code obfuscation to hide on the Google Play Store.
Researchers at security firm Zscaler have revealed that two Google Play Store apps, namely ‘Earn Real Money Gift Cards’ and ‘Bubble Shooter Wild Life’, are being used by hackers as trojans to download and install other malicious apps on users' devices.
Once both apps are downloaded, they abuse the Google Play Accessibility Service and install additional apps without user's permission. While the researchers encounter such trojan apps on third party app stores, they were surprised when they noticed such apps on the Google Play Store.
"Most recent malware families have started using obfuscators, packers, and protectors to hinder analysis from security researchers and malware detection systems," they noted.
They added that the use of delaying tactics and abuse of the Google Accessibility service to install additional payloads by malicious apps as a unique phenomenon, giving rise to concerns that there could be many more Play Store apps utilising similar techniques.
For example, the ‘Bubble Shooter Wild Life’ app requests user permission to download other apps that will support gameplay. Once a user gives permission to install additional apps, the app waits for exactly 20 minutes before triggering a malicious service. The service then launches a pop-up window, asking the user to enable 'Google services'.
If the user clicks OK, he is directed to the Accessibility Settings menu and is asked by the service to turn on 'Google services' which is, in fact, the malware’s accessibility service disguised as a Google service. To make the process look more genuine, hackers behind the malware make the user view detailed Privacy & Terms (which is copied from Google's website).
Once access permissions are given by the user, the app searches for an APK file in the Download section of the device, then opens the Settings menu to enable “Installation from Unknown Source” and completes the APK file's installation successfully.
Once they identified the two apps that installed malware on Android devices by bypassing Google's security protocols, the researchers at Zscaler reported them to Google but fear that there may be many similar apps lurking on the Play Store.
Earlier this year, Google launched Play Protect, a new malware tracking software that keeps a constant vigil on apps that have been downloaded from the Play Store. The software is designed to ensure that Android apps are as secure on devices as they are on the Play Store prior to installation. However, it seems that Google Play Protect was unable to detect the two apps that researchers at Zscaler unmasked.
Researchers at Naked Security have also warned that there could be as many as 4,000 Android apps containing SonicSpy, a powerful spyware that can infiltrate Android devices and steal sensitive user information without being noticed by users.
Three such apps, namely Soniac, Hulk Messenger, and Troy Chat, were spotted on the Play Store by the firm and were reported to Google. The researchers added that Android users who download apps from third party app stores and from the web are particularly vulnerable to the spyware.