Android security: Sneaky three-stage malware found in Google Play store

Tens of thousands of users have downloaded two newly uncovered forms of malware.
Written by Danny Palmer, Senior Writer

Google is once again facing questions about the security of the Play Store for Android.

Image: Getty

Another crop of Android apps hiding malware have been discovered in - and removed from - the Google Play store.

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.

Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.


Some of the malicious apps identfied by ESET.

Image: ESET

Following the initial download, the app doesn't request the suspicious permissions associated with malware and will initially mimic the activity the user expects - the latter is an increasingly common tactic by malicious software developers.

However, alongside this user-facing activity, the app secretly decrypts and executes a payloads in a multi-step process. The malicious app decrypts and executes a first-stage payload which when in turn decrypts and executes a second-stage payload. This second-stage payload contains a hardcoded URL which the malware uses to download a third-stage payload containing another malicious app.

All of this is going on in the background without the user's knowledge until, after a five minute wait, they're prompted to install or update an app. This is disguised to look as if it is a form of legitimate software such as update for Adobe Flash Player or the Android system itself when it it in fact the third-stage of the malware's dropping process.

The installation request asks for permission for intrusive activities such as reading contacts, sending and receiving alls and text messages and the ability to modify and delete the contents of storage. If permission is given to install this 'update', Trojan Dropper delivers the third-stage payload which decrypts and executes the final payload in the form of the malware itself.

Once installed on the device, Trojan Dropper is used to install other forms of malware - the malware has been spotted attempting to deliver the MazarBot banking trojan and various forms of spyware, but researchers note it can be used to deliver any malicious payload of the criminals' choice.

See also: Can Google win its battle with Android malware?

Researchers analysed the bit.ly URL used to deliver the final download and found that almost 3,000 users - mostly based in The Netherlands - reached this stage of the infection. ESET has informed Google of the apps, which have now been removed from the store.

ESET's report comes at the same time as researchers at Malwarebytes have uncovered a new form of Android trojan malware masquerading as multiple apps in the Play Store.

Disguised as innocuous looking apps such as an an alarm clock, a QR code reader, a photo editor and a compass, thousands of users have downloaded AsiaHitGroup malware from the Google Play store.

"Based on data from Google Play, the apps present in the Play store that are infected with Android/Trojan.AsiaHitGroup have been installed 10,700 to 22,000 times," Nathan Collier Senior Malware Intelligence Analyst told ZDNet.

Like other forms of malware, AsiaHitGroup appears to look legitimate, even coming with the advertised function. However, in this instance, the user only gets one chance to use the app, because after it is closed the icon disappears.

But rather than becoming inactive, AsiaHitGroup disguises itself as the phone's 'download manager' in the downloaded apps and continues to carry out its malicious activity - which in this case involves tracking the user's location and distributing adware in order to generate money. Researchers say the geolocation tools ensure that the malware only targets users in Asia.

Like Trojan Dropper, AsiaHitGroup uses obfuscation techniques to hide itself within the Google Play store.

In bother cases, users with Google Play Protect enabled would have been protected from the malicious apps, but these are just the latest instances of malware finding its way into official application marketplace for Android users - BankBot banking data stealing malware was recently found in the store for the third time.

Google says it has a stringent security process for stopping malicious software getting into the Play store and that it keeps the vast majority of its 1.4 billion Android users safe from malware.

ZDNet has attempted to contact Google for comment but hadn't received a response at the time of publication.


Editorial standards