Experts described how Android malware infiltrates the Google Play Store

Malware in Google Play Store
Written by Valdis Koks

It’s no secret that despite all the security measures taken by Google, malicious Android applications manage to get into the official Play Store. Bitdefender specialists decided to describe all the methods that help attackers bypass protective measures, and how exactly Android malware penetrates the Google Play Store.

Malicious applications can take many forms. For example, to a legitimate program can be “tied” an adware, which generates clicks that allows authors to earn on it.

There are also complex trojans like Joker, which manage to not only go through the security layers of the Google Play Store, but also force hundreds of thousands of users to install themselves in the system.

In addition, there are fake applications that hide malicious functionality and wait until the user relaxes.

“Researchers recently analyzed 25 apps that made it into Google Play, at least for a time, packing aggressive adware SDKs that bombarded users with ads and avoided removal by hiding their presence. Cumulatively, the apps were apparently downloaded almost 700,000 times by Google Play users.While Google has gone to great lengths to ban malicious or potentially unwanted applications from the official Android app store, malware developers are nothing if not imaginative when coming up with new ideas to dodge Google Play Protect”, — write Bitdefender researchers.

Of course, Google is constantly working on various barriers that should not allow unwanted programs to go to the official app store. However, resourceful attackers still invent mechanisms to place their development on the Play Store.

Bitdefender researchers have published a report (PDF), which lists the main methods of penetration into the Google Play Store.

Malicious features are encrypted and load dynamically. One of the ways in which it is possible to mask a malicious component is to rely on a native dynamic library that loads on first start. Its task is to decrypt and download the malicious code.

Checking time intervals. Quite an interesting technique: a hard-coded timestamp makes it clear to the adware when to start displaying advertisements. Two tasks are solved here: the application is tested by the Google Play Store and at the same time, the user cannot immediately calculate the reason for the appearance of intrusive advertising.

Read also: Google finishes support for Adobe Flash by the end of 2019

Large gap between advertisements. Sometimes authors set up to 350 minutes of a delay between showing ads. According to experts, this is enough to circumvent the protective measures of the official Android app store.

Open source libraries. Such libraries can be used to run tasks in the background. With their help, you can display ads and use functions like “ShowAdsHideIcon”.

Initially harmless SDK. A well-known technique – an attacker can download an absolutely legitimate version of the application to the Play Store, and then add malicious functions to it through the update mechanism.

Decision

Experts urge always to remember that when downloading an application from the official store there is always a risk. So please check that you are downloading, and also consider the need to install each doubtful program.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment