Google Play apps loaded with malware have been downloaded by millions of users

by



[ad_1]

Malicious applications discovered by Symantec Threat Intelligence have popped up full-screen ads and hidden the title of the app even in the App Switcher view. It was therefore difficult for users to know where they came from.
Enlarge / Malicious applications discovered by Symantec Threat Intelligence have popped up full-screen ads and hidden the title of the app even in the App Switcher view. It was therefore difficult for users to know where they came from.

Symantec

This week, May Ying Tee of Symantec Threat Intelligence and Martin Zhang revealed to Google that they reported to Google a group of 25 malicious Android apps available through Google Play Store. In total, applications (which all share a code structure similar to that used to evade detection during security filtering) have been downloaded more than 2.1 million times from the store.

The apps, which were hiding on the home screen shortly after installation and were starting to show ads on the screen even when apps were closed, were removed from the store . But other applications using the same method to escape the security screening of Google applications can stay.

Published under 22 different developer accounts, all apps had all been downloaded in the last five months. The similarity in application coding, however, suggests that developers "may be part of the same organizational group, or at least use the same source code base," May and Zhang wrote.

Most apps claimed to be photo or fashion related utilities. In one case, the application was a duplicate of another legitimate application "photo blur" published under the same name of developer account – the legitimate version being presented in the category "most trendy applications" graphics "Top Apps" from Google Play. "We believe that the developer deliberately creates a malicious copy of the trend application in the hope that users download the malicious version," concluded May and Zhang.

Call home

At first, after installation, malicious applications normally appear on the Android home screen. But once launched, they retrieve a remote configuration file containing the malicious code. Keywords associated with malicious activity, including code intended to hide the application's icon, are encrypted in the configuration file. "We believe that it is an effort on the part of malware authors to avoid rule-based detection by antivirus," said May and Zhang.

Once the configuration file has been downloaded, the application extracts the parameters and modifies its behavior accordingly. The application then hides its icon on the home screen, and then starts to display full screen ads even when the app is closed. "Full-screen ads are displayed at random intervals, with no app title registered in the ad window, so users have no way of knowing which app is responsible for the behavior," said the researchers. from Symantec.

Obviously, these malicious apps are simply aimed at generating advertising revenue for their developers. "Thanks to the ability of apps to hide their presence on the home screen, users can easily forget that they have downloaded them," noted the researchers. And with no way to link ads to a specific app, developers have a captive audience and are free to continue serving ads to their victim users without fear that their apps will be uninstalled.

[ad_2]

Source link