Bitdefender has detected 35 malicious apps on Google’s Play Store. Together they have more than two million downloads.
The antivirus company Bitdefender has found 35 malicious apps in the Google Play Store. According to the information in the Play Store, they would total more than two million downloads. It is advertising malware.
Malware hide and seek
In the app store, the functional description of the apps is intended to tempt potential victims to install them. However, once the software is on the smartphone, it renames itself, changes the app icon and starts aggressively playing ads, Bitdefender explains.
That sounds like a small thing. However, these apps use their own advertising framework and could also use it to distribute malware in ads. In addition, the advertising is annoying and ruins the overall experience with the mobile phone. The obfuscation also makes it difficult for affected users to track down and uninstall the app.
Although the detected apps are clearly malicious, their developers were able to upload them to the Google Play Store. In addition, they were even able to distribute updates that the apps can use to hide themselves better.
Using the app as an example GPS location map Bitdefender’s IT researchers explain how the malicious apps work. With more than 100,000 downloads, it was one of the most popular apps, but had no ratings. The app changed its name immediately after installation Settings and displayed additional web pages in WebViews as well as an advertisement. WebViews are part of the Android operating system and allow apps to load content such as websites, advertisements and more.
GPS location map also changed the app icon to make it harder to find. On some devices, the malicious apps also requested permission to bypass the battery optimization feature and started so-called foreground services with notifications that the system didn’t shut down but left running all the time. Many of the apps were also requesting permission to display on top of other apps. Bitdefender estimates that the masterminds behind the malware use it to simulate user clicks in order to increase profits.
The developers have heavily obfuscated the malware code in order to make reverse engineering and thus the detection of malicious functions more difficult. The main malicious code in Java from GPS location map lies in two encrypted DEX files. The decryption is done by obfuscated native code. And even after decryption, the Java code strings remained obfuscated.
In their report, the Bitdefender researchers go into detail about the routines of the malware. For example, the malicious apps did not appear in the list of recently used apps because they had the setting in the app manifests
android:excludeFromRecents="true" to pretend
Protection against malware apps
The IT security researchers also give some sensible recommendations for action. So users shouldn’t install any apps they don’t really need. They should also uninstall apps that they no longer use.
Caution is advised with apps that have high download numbers but hardly any user ratings. If apps are requesting special rights like being allowed to overlay other apps, that should also be a warning. This applies to all apps that request permissions that have nothing to do with their advertised function.
According to Bitdefender, the malicious apps are hidden behind the following package names. Android users should check their phone for them and uninstall them if they are present.
Cybercriminals repeatedly manage to smuggle malware into Google’s Play Store. If it is discovered, however, Google usually throws it out and usually uninstalls it from the smartphones as well. About a month ago, the company removed the Android malware Autolycos from Google Play, which had three million installations.