Android security: Malicious apps sneak back into Google Play after tweaks

The names of the apps were slightly different - but the malicious code was the same.
Written by Danny Palmer, Senior Writer

Malware has reappeared in Google Play, the official Android app marketplace, after previously being identified and removed.

Uncovered by researchers at Symantec, the malware was bundled inside at least seven different apps.

The apps were listed as emoji keyboard additions, space cleaners, calculators, app lockers, and call recorders, but none actually performed the advertised functions, and only existed to serve up malware in the form of adware to drive clicks for illicit profit.

The malware has previously appeared in the Play Store, before being removed after Google was alerted to its presence. However, the same malicious code reappeared in the official Android market place again, but with apps featuring slightly different names under the banner of a new publisher.

In order to help the apps slip past Google Play security, the malware is configured to wait four hours before starting the malicious activity. This also helps lure the user into a false sense of security about the app, so even if they notice the device acting suspiciously, they might not attribute this to the recently installed application.

Following activation, the malware looks to consolidate its position on the device by asking for administrator privileges in order to carry out its activity and make it more difficult for the app to be removed.

In order for the request to look convincing, the attackers use an official Google Play icon when asking for administrator privileges.


The malware using Google imagery to ask for admin rights.

Image: Symantec

The goal of the malware is to deliver adware, browsers are also forced to repeatedly open scam pages featuring fake 'you won' notifications which when clicked deliver profit to the attackers.

ZDNet has approached Google for comment on how the apps were allowed to enter the Play Store after being previously identified as malware, but hasn't received a response at the time of writing.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Researchers at Symantec have also identified a further 38 malicious apps which entered the Google Play store for the first time in December. The apps claim to be games and education apps, but don't really have the functions they promise to provide.

Instead, they forcibly redirect users to install another app from the Play Store called 'Change My Voice' which does have some functionality and also displays lots of adverts -- once again used to drive click-based revenue.

At least 10,000 users in US, UK, South Africa, India, Japan, Egypt, Germany, Netherlands, and Sweden downloaded this malware before it was removed from the Play Store after Symantec informed Google.

In order to remain protected against Android malware, researchers recommend keeping software up-to-date and to pay close attention to permissions requested by apps, especially unfamiliar or unusual ones.

A recent report by Google said the company detected 99 percent of apps with malicious content before anyone could install them and the vast majority of its two billion Android users are safe from malware.

However, with a large userbase, even a small percentage of malicious apps slipping through the net could result in millions of devices inadvertently being compromised.


Editorial standards