Despite the fact, that Google Play is trying to protect their customers against threats and malicious applications, during the past few months we have witnessed several incidents caused by compromised mobile applications circulation. The malware called ExpensiveWall was hidden in about 50 applications in Play Store and had been downloaded a few million times before Google removed it, another malware called BankBot was also profusely downloaded and caused lots of problems. And the list goes on.
The Google Play Store is supposed to be a safe environment, but instead, it increasingly serves as another channel for fraudsters to distribute malicious code. Why Google and others failing in protection of their users and how to spot compromised one?
How Do They Get There?
Google submitted a report called How we fought bad apps and malicious developers in 2017, in which admitted that in 2017 removed more than 700 000 applications, that violates its policies. This number is a 70% increase from the previous year. Some of them are hiding inside some good-looking game or handy application or just mimicking the trusted application to gain thousands of downloads by impersonating notoriously know application such as Uber, WhatsApp, and others, enlarging “client-base” of theirs Botnet. But how it is possible for fraudsters to get there undetected?
To be unspotted by machine learning-based Google’s detection measure called Google Play Protect (GPP), fraudsters are using different camouflaging techniques.
You may ask, how it is possible, that GPP doesn’t detect malicious code right when uploading to store by the fraudster. Well, it is trying, but failing, since fraudsters understood how GPP detection mechanisms work. For example – fraudsters’ evergreen strategy is obfuscation. This technique jumble-up the code to hide its actual purpose and still best the Play Store’s defenses. In other words, obfuscation makes the code unreadable for Google BOTs which are investigating code.
Ironically enough, the obfuscation was invented for a “good guys” to protect their intellectual property against theft.
The Threat to Your Banking Account
The compromised application often does not show any kind of suspicious behavior first. After some time or as an answer to some command (or update), malicious code is executed and from this point can trigger almost anything, from delivering adware, encrypting your device and eavesdropping your communication. For that, it needs to have root access to maintain persistence and escalate permissions. Gaining this “superuser” access allows the application to do whatever it wants – eavesdrop SMS messages, browse data storage and so on. Basically, the device has been turned into a “zombie” supervised from fraudster’s Command & Control center. The last one was a recent case of QRecorder (Android/Spy.Banker.AIX) described here before.
What You Can Do
These 6 simple steps will help you prevent from installing the malicious application.
1. Do not install applications recklessly.
2. Have your Android device updated – outdated operation systems are extra vulnerable.
3. Be suspicious – every application can be malicious.
4. Study application first – before download, check the reviews and author thoroughly.
5. Check the application permission – if the application is requesting illogical permissions, e.g. to read SMS, reach for your contacts, be extra careful.
6. Check elevated rights – during updates, check which additional permissions application requires.
Detecting these nasty applications requires a lot of resources. Google’s security experts had to understand how applications interact with the system and the user, analyze all signals possible to find potentially harmful behavior.
Google will probably never get rid of all nasty applications (even thou that stated that GPP analyzes more than half a million applications every day) and based on the massive waves of malware indicates, that there is obviously the potential for improvement. That is the reason, why we developed our SDK library to protect clients’ end-points against various types of threats, such as overlay attacks, mTAN interceptions, keyloggers, SMS grabbers, banking trojans, mobile-based identity theft attacks, and cross-channel attacks.
Our SDK does not prevent any application to be installed but scan them and the whole device from the perspective of security, detecting rooted/jailbroken devices, insecure networks being used, or malicious applications and tools being installed.