The most recent series of malicious Play Store apps that Google has removed were trojans with more than 5.8 million installs and stole users’ Facebook usernames and passwords.
The latest Android Trojans on Google Play Store
Android apps must pass a series of rigorous certifications in order to be available for download on Google Play Store. However, despite Google’s efforts, malicious apps keep finding new ways to trick the certification process.
The latest round of malicious apps removed from Google Play Store consisted of the apparently harmless Processing Photo, App Lock Keep, App Lock Manager, Lockit Master, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, Inwell Fitness, and PIP Photo. Combined, these trojans totaled an astonishing number of installs on Android devices of 5.8 million. The apps encouraged or even required users to connect with their Facebook accounts and then stole their account username and password.
How they were detected
The malicious apps were found by a security company that makes antivirus software, called Doctor Web. The company reported that upon letting Google know about their findings, the search giant had already removed half of them from the Play Store. However, some are still available for download.
The even worse news is that the developers of these apps could have stolen sensitive data from other devices also.
“Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.”a post on Doctor Web’s site
Apple’s Tim Cook pointed out Android’s malware issue, adding that “Android has 47x more malware than iOS”, in a recent interview with Brut CEO Guillaume Lacroix.
All being said, Google needs to immediately strengthen its app certification policies. As Android is very popular and millions of devices are activated every day, threat actors have a massive market to take advantage of.
Not the first trojans on Google Play Store
On the 9th of February this year, Google has removed 10 malicious apps that contained previously unknown droppers for financial trojans.
The dropper was loaded into harmless-looking utility apps, such as Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder. Their functionality is copied from already existing, legitimate Android apps. They totaled a number of 15,000 installs.
The hidden dropper’s infrastructure contains ‘enable-or-disable’ parameters to decide whether to trigger the app’s malicious functions, according to researchers. The parameter is set to ‘false’ when going through the certification process and until Google has made the app available for download.
“If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be ‘Google Play Services’ requesting the user to allow the installation every five seconds.”Check Point Research
The purpose of these apps was to provide remote access to compromised devices, hack banking apps to gain access to user accounts, and exfiltrate their financial information.
Check Point Research reported the apps to Google on January 29. By February 9, Google confirmed it had removed the malware from the Google Play Store.
“The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology. With a simple manipulation of readily available third-party resources – like a GitHub account, or a FireBase account – the hacker was able to leverage readily available resources to bypass Google Play Store’s protections.”Aviran Hazum, Check Point mobile research manager
Tim Cook, Apple’s CEO, mentioned in a recent interview that “Android has 47x more malware than iOS”, pointing out a real malware problem on the Android platform. It’s safe to say that Google needs a better vetting process for the apps that get on their app store. Being so popular with such a huge market with millions of devices activated each day, Android is a profitable market for bad actors.