There has always been a battle between the Google Play Store and the malicious applications that attempt to reside on it. Google implements rigorous security testing of all apps, but some can still slip through the cracks. Such was the case when researchers from Symantec’s Threat Intelligence team found 25 instances of malicious apps, with a combined userbase of over 2.1 million, on the Google Play Store. These apps were designed to be camouflaged as photo utility and fashion apps, and upon download, did not exhibit any malicious properties. It wasn’t until the app downloads a remote configuration file that it becomes malicious. This behavior is what allows the app to bypass the security checks implemented by Google. Since the malicious code is not actually in the app and is downloaded remotely, Google is none the wiser. Researchers say that the 25 apps share a similar code structure, leading them to believe that the developers are part of the same organization or, at least, using the same code base.
Once installed, the app hides its icon and begins to display full-screen advertisements at random intervals with the app title hidden. This is done to prevent users from determining which app is responsible for the ads. This behavior continues even when the app is closed. This can be confusing for users who cannot even recall downloading the app as there is no icon or name associated with the behavior. Another interesting trick the developers use is the use of two versions of the same app. One version is a malicious version with full-screen advertisements while the other is a non-malicious version, which just so happens to be present in the Google Play’s Top App Charts. The researchers believe that this is done in the hope that users accidentally download the malicious copy of the app instead of the popular, non-malicious version.
The researchers believe that the primary reason for the creation of these apps is the monetary gain from the advertising revenue. There will be some subset of users that will continue to deal with the advertisements, despite their annoyance. When downloading apps from the Google Play Store, it can be difficult to determine which are malicious at first glance. In order to protect yourself from malicious applications, the researchers suggest keeping software updated, not downloading apps from unfamiliar sites, only installing apps from trusted sources, and noticing the permissions requested by apps that you download
Sources:
• https://www.symantec.com/blogs/threat-intelligence/hidden-adwaregoogle-play09