A fundamental rule of mobile security can be expressed as “do not install apps from unknown sources or stores.”

Most Android mobile devices have a specific setting that limits app installations to the Google Play Store. Security experts repeatedly advise against turning this feature off. However, during the past few years, we have witnessed a plethora of cases involving malicious mobile apps circulating on Google Play.

This service, managed by Google, is supposed to be a safe haven for users seeking tools to augment their mobile devices. Instead, it increasingly serves as an attack vector for scammers and threat actors. Bypassing the security barriers of the Play Store, a trusted component of the Google ecosystem, grants hackers access to a huge attack surface consisting of literally billions of monthly active devices on Android alone.

More importantly, behind each device sits a user, whose personal and financial data may be jeopardized. And, while users are subject to a range of risks when using the Play Store, businesses and brands are faced with issues of their own. Likewise, legitimate apps and vendors are affected negatively because of weakened brand and reputation—scammers’ love abusing trusted brand names. Finally, Google itself is affected by the decline in trust each time af fake app or vendor is reported.

Is Google failing at protecting their own users and is there a way to overcome the challenges the platform is facing?

In this article, we will outline the main threats that come from malicious apps, the scale of the problem, and some basic suggestions for keeping your mobile device safe. We will also look at the measures Google and the security industry are taking to clean up the Play Store.

The Google Play Store: Big Platform Issues

Google’s strategy is to build an entire ecosystem and make sure that users embrace their solutions to the fullest. Furthermore, they know what to offer users. Think of the GSuite set of services, which basically caters to the everyday needs of a team, from collaboration on Google Docs in the cloud to video conferencing via Hangouts. All of this is seamlessly integrated between different platforms—Chromebooks running ChromeOS, Nexus phones, and Pixel tablets.

Tech giants nowadays are all about providing users with an entire environment that caters to their every need, be it for work, leisure, or study. By tapping into each market niche that emerges as technologies advance, tech companies secure their user base, income, and market share.

Not buying it? Just take a look at our article on advertising trends in 2018, specifically the part on the growing voice-search market and smart home assistants; you’ll see all the familiar names among the industry’s leaders.

Now let’s talk about search.

Google’s main income comes from ad tech and search, so the more time a user spends on their platform, the more searches they do, and the more ads served to them. A good example would be the ads in your Gmail account—catered to you and every move you make online.

On mobile, Google’s Android OS is a dominant platform that powered a whopping 85% of market share in the first quarter of 2017, according to IDC. The OS is based on Linux and is partially open source, which means that OS code developed and maintained by Google is available to other parties, like device vendors (Samsung, et al.). This openness has contributed to Android popularity and its current dominance in the market.

And that contribution is significant. The number of apps in the Google Play Store is estimated to be around 3.5 million as of December 2017, based on data by Statista. AppAnnie mobile analytics company tallies the number of app downloads in excess of 19 billion in the last quarter of 2017.

However, new apps are submitted to the Play Store daily and not all of them are well-meaning. In fact, there is a huge chunk of malicious apps, according to Google’s own report. In 2017, Google removed more than 700,000 apps that violated Play Store policies, a 70% increase from 2016. On the bright side, 99% of apps were identified before users installed them, thanks to new detection techniques. Unfortunately, the remaining 1% that snuck through the barriers is still a big number given the total quantity of violators.

How Do Dangerous Apps Sneak into the Play Store?

Google emphasizes the accessibility of their platform, allowing many developers to populate the Store with the various apps they create. Despite making the Android experience rich, the strategy backfires when it comes to keeping bad actors at bay. Anyone can join the platform via the Developer Console and upload apps, after completing 4 basic steps and paying a $25 registration fee. Frankly, this process is not too complicated for cyber criminals (or anyone else), and probably some additional vetting should be applied at this step.

Another reason why malicious apps populate the Play Store is evasion. Malicious actors employ a variety of techniques to fly under Google’s radar. One of them is delayed activation/execution of malicious code, a method that is widely used by unwanted applications displaying intrusive ads and ransomware alike.

How does evasion work?

After an installation, the app disguised as benign doesn’t demonstrate any kind of harmful activity or suspicious behavior. As soon as a set amount of time passes, the malicious code is executed and from there it could trigger anything, including ransomware. This article describes a ransomware-carrying app that used delayed activation, while many detection schemes are based on the premise that malware will show its nature right away.

Malware authors use code obfuscation as an additional measure to evade detection. Basically, the malicious code is intentionally clogged up to conceal its actual purpose. By using various methods to “protect” itself from static analysis—a form of review used by security tools performed without executing the code—the code avoids detection.

But that is not all.

Impersonating trusted apps is the method of choice for some of the most nefarious apps, like banking trojans, that regularly plague the Play Store. A prominent case: this malware was a fake WhatsApp messenger that was downloaded between 1 to 5 million times. The spoofed app was using a developer URL similar to that of the real app, which allowed both to stay in the store simultaneously. The difference wasn’t noticed by users. Moreover, after installation, the fake app created an unnoticeable icon that would allow it to persist on devices. It is reported that this fake app was monetized by displaying ads, but it could have switched to distributing more severe payloads. Interestingly, the imposter app had a convincing rating and quantity of reviews.

To maintain persistence on a device apps often seek escalated privileges, also known as “root access,” and become a sort of a “superuser.” How? Apps get root access either by repeating a request until the user allows it (pretty straightforward) or by using the root access exploit kits for Android. Gaining root access allows an attacker to snoop through data storage, intercept communications, and so forth—basically turning the device into yet another bot supervised from the attacker’s command and control center.

WhatsApp isn’t alone. Other big brands have been impersonated by bad apps recently.

Symantec reported a fake Uber app. This case is particularly interesting because it exploits social engineering and phishing methods along with a thoroughly crafted trick to evade suspicion. With the spoof-Uber, a new strain of known Android malware “Fakeapp” was luring users into giving away Uber login credentials by regularly displaying an overlay of a fake Uber app screen, prompting the user to enter their info. Upon entering the info, it was sent to attacker servers while the Fakeapp opened the real Uber app, displaying the user’s location which normally occurs with the real app. The malicious app achieved this by invoking a deep link to open a specific screen of the actual Uber app.

Fake Uber app overlay login|StopAdFake Uber login page overlay Source: Symantec

Fake Uber app deep linking to real apps interface|StopAd blog
Fake Uber deep linking to real app’s interface, after having collected user credentials from spoof login screen Source: Symantec

The Main Threats You Might Encounter in the Play Store

We’ve outlined few methods that adversaries use to infiltrate the Store and mobile devices. Now let’s take a closer look at the most common threat types.

SMS Trojans

This is malware that takes over messaging functionality, covertly sending shortcode messages to premium numbers at the user’s expense, draining the funds in the account. It may be delivered along with a seemingly normal app modified by crooks or installed by an unsuspecting user from a dubious source. Often SMS trojans block the “subscription” confirmation from these premium numbers and keep a low profile on the infected device. The 2017 Expensive Wall malware is a good example of such trojans.

Banking Trojans

This is a kind of malware that infiltrates the Google Play store quite regularly. Its intent is to intercept and collect sensitive financial data by infiltrating the victim’s mobile device. Phishing attacks are often an entry point for this type of threat, occurring via different vectors: SMS, IM, email, and—of course—the Play store or third-party Android stores.

Trojanized apps spy on users, log data entered on banking sites or apps launched on compromised devices and generate pop-ups mimicking login forms for legitimate services like email and Paypal (as with the the Uber case). Hackers may get their hands on victims’ funds as well as personally identifiable information (PII) such as SSN, physical address, etc. By obtaining permissions to use contacts and network connections, they might propagate themselves to other devices or download additional payloads, just like in the BankBot trojan case, which targeted a list of 160 banking apps by initiating overlays of legitimate banking apps to steal credentials.

Fake Apps

These applications are often disguised as security products. Just like with other categories of apps, their “monetization” may range from adware, generating income from intrusive ads, to modular malware, delivering payloads of various types and changing according to a device’s characteristics.
Sophos Security describes a case called “Super Antivirus 2018,” a fake AV program in the Play Store that didn’t actually carry any detection tools, besides an .XML file containing a list of 500 apps, many of them legitimate, to display in fake scan results. This product attracted between 10,000 to 50,000 downloads but was only a decoy whose true purpose was to promote another fake security and performance app, “Security Elite,” through ads served during the scan. You know something sketchy is going on when adjectives like “Super” are in the name of an AV product you have never heard of before—and it’s offering a “junk cleaning” feature. The promoted app accumulated an astonishing 50 million installs during a 3 month period.

Cryptomining malware

A subset of fake apps that is getting more popular as cryptocurrencies grow in value and become an increasingly popular payment method, both among legitimate vendors and hackers populating the Dark web. At first glance these apps demonstrate benign purpose and often come free of charge, but their real intent is to hijack device’s computational resources – a crucial asset, required for mining cryptocurrencies for malware authors. Sophos Labs researcher Pankaj Kohli described 19 cryptocurrency mining programs augmented with JS code that enabled mining of Monero and other cryptocurrencies upon its execution. All of them have been found on Google Play store Some of the sophisticated versions even used CPU throttling to prevent noticeable side effects of CPU load induced by mining, like overheating and battery discharge.

What is Google Doing About All the Malware?

One measure introduced by the company is Google Play Protect functionality that performs scanning prior to installation and again after the apps have been installed. Additionally, Google reported using machine learning to improve detection of suspicious apps upon their submission to the Play Store. Google Play Protect has reduced malicious app installs by 50% year-over-year in 2017 and awards a verified by Play Protect badge. As good as it is, there is evidently more room for improvement, based on the massive impact of malware we described above.

Researchers from various AV companies also contribute to the cause. Google even started a Security Reward Program to motivate white hat professionals to catch malicious vendors and applications. Additionally, to help cleanup the Store, Google added a flagging feature for users, combined renewed efforts to educate them about threats.

However, it seems unlikely that Google will overlook their dedication to keeping the Play Store more open in favor of imposing strict regulations and a lengthy approval process similar to that which the Apple Store uses.

Tips to Safeguard Your Mobile Device and Data

  • nstall an anti-malware product and keep it updated.
  • Make sure that your Android device has the latest patches and isn’t running an outdated Android version. Vendors using Android OS may have a different updates schedule, even if it’s the latest OS version, so be sure to check for updates regularly.
  • Always assume the risks; there is no such thing as a 100% safe app.
  • Don’t rush. Take your time to study the app before downloading. Check the publisher’s site, rank, and reviews.
  • Pay additional attention when installing an app from a well known brand (remember the fake app pretending to be WhatsApp?)
  • Upon installation, check the app’s permissions in “Permission Details.” Be wary of apps requesting too many permissions for their purpose. For example, if a wallpaper app requests access to your SMS, phone, address book, and network connections, it may either use this access for ad targeting or a more harmful purpose. Be sure to check which additional permissions an app requires during updates, it may try to get elevated rights after installation, especially in cases where the update request pops up repeatedly after decline.

Fake Adobe Flash app Play store|StopAd blogSpoof Flash app asking too much. “This may cost you money”notification is placed by Android

  • Just like with cases of phishing on desktops, avoid clicking links you receive in SMS and IM, especially if the sender is unknown or the message is urging you to do so. It’s an outright scam.
  • Don’t download apps outside of the Google Play Store or from a third-party store, unless you’re absolutely sure about the store and vendor. Your mobile AV must be on at all times.