BeInNews Academy Ltd © Street: Suite 1701 – 02A, 17/F, 625 King’s Road, North Point. Hong Kong.
Once you've bought or received bitcoins; you now need to keep them as safe as possible. This guide will provide... More software maker Symantec’s latest threat intelligence report underlines how dodgy app developers are sneaking their apps through Google Play Store’s rule-based anti-malware defense.
The report claims of having detected 25 malicious apps with more than 2.1 million total downloads, all of which have since been removed from the Play Store.
Strikingly, all of the apps highlighted in the recent Symantec report belong to the beauty/fashion and photo utility categories. Although these apps were delivered via the account of 22 developers, all 25 apps of them share more or less the same content and code structure.
The security experts at Symantec believe this could be a sign that all these developers are part of an organizational group. The only other plausible explanation would be that they built these apps using the same source codebase.
The apps themselves were relatively new, with the oldest of them having been uploaded only in April 2019. However, that doesn’t necessarily mean that the techniques they used to bypass Google Play Protect are also new (or have not been replicated in other apps since).
A list featuring all 25 malicious apps can be found at the end of this report.
The apps were designed such that they could install just like any regular app, only to change behavior drastically afterward to push fullscreen advertisements at random intervals. Not only users were not given any chance to opt-out, but they also couldn’t even pinpoint the source of the intrusive ads as they didn’t carry the app title on the window.
The ads continued to flood the screen even when the app was not in use.
Our researchers exposed malware hiding in popular photo editing apps. Get the details. https://t.co/81pWsCwhlY
— Symantec (@symantec) September 23, 2019
The apps could successfully evade the Play Store’s scrutiny as the developers made sure not to hardcode the malicious functions into the original Android Package Kits (APKs).
Instead, they would covertly download a remote configuration file via a third-party service without alerting the user. Once downloaded, the configuration file would inject several configurations including those that can alter the device’s ad-displaying behavior.
The apps also encoded and encrypted certain keywords in the malicious code using initialization vectors and encryption keys. This gave them virtual immunity from anti-malware scans on the host device.
Besides, the apps also removed their icons from the home screen — possibly in an attempt to make the user forget about their presence on the device.
At least some of developers managed to push the apps to the top trending apps in their respective categories, which would explain how they could bag so many downloads within a relatively short period.
Meanwhile, the developers behind at least one of these apps made two versions of the same app — one clean and the other with the malicious functions. While the clean app managed to trend in the top-charts, the developers probably hoped that many users would mistakenly download the other app with the malicious functions.
While the Symantec report only names the package codes, the app titles associated with these packages are:
Meanwhile, do let us know if you happen to have come across any other app that exhibits similar behavior as these now-removed Google Play Store apps.
Images are courtesy of Twitter, Pixabay, Shutterstock.
Do you want to Be In Crypto?Join our Telegram Trading Group for FREE Trading Signals,a FREE Trading Course for Beginners and Advanced Tradersand a lot of fun! Images courtesy of Shutterstock, TradingView and Twitter.