This is how malicious Android apps avoid Google’s security vetting

Cyberattackers are using a variety of tactics to stop Google spotting suspicious app behavior.
Written by Charlie Osborne, Contributing Writer

Google maintains a strict cybersecurity posture when it comes to the functionality and behavior of apps submitted by developers for hosting on the official Google Play Store, but sometimes, malicious software slips through the net. 

Malicious Android apps can take a variety of forms -- they may be laden with adware designed to generate fraudulent income for developers by forcing users to view or click adverts; banking malware including the Joker variant has been spotted in Google Play apps downloaded close to half a million times, and some fake apps will bury malicious functionality until the moment a victim moves their mobile device

As the official repository for Android apps catering to countless app installs every day, Google Play utilizes a range of barriers to reject applications believed to be malicious. 

However, with every improvement, fraudsters strike back by developing new techniques to fool Google into accepting their submissions.

See also: Gaming, photo apps in Google Play infect Android handsets with malware

Bitdefender researchers said on Wednesday that cyberattackers are nothing if not "imaginative" when it comes to dancing around Google protections, and in a new whitepaper (.PDF) on the subject, the cybersecurity firm has listed the key techniques currently employed to ensure malicious apps land in the repository. 

The key techniques are below:

Main logic encrypted and loaded dynamically: By not including an app's main logic in standard code and relying instead on a native executable dynamic library that is first loaded -- leading to the decryption and loading of subsequent code -- this can disguise malicious functionality until the app has been downloaded and executed. 

Time checks: An interesting technique documented by Bitdefender is the use of time checks. A hardcoded time stamp will be systematically reviewed, and if the time recorded is over 18 hours, adware then begins to show users advertising. Periodic checks to sustain malvertising can keep these functions hidden and may not trigger an alert from Google Play. 

Long display times: Times between ads -- up to 350 minutes -- have also been recorded, which the researchers call an "anti Google Play mechanism."

"Because the ads do not show within a reasonable time, the samples escape security scrutiny," the team says. 

TechRepublic: How to avoid malware on Android in one easy step

Open source utility libraries: Libraries can be used to pull and run jobs in the background, and these may also be used to show ads and control processes including 'ShowAds activity' or the 'ShowAdsHideIcon' function.  

Clean SDKs, to begin with: In some instances, developers may upload a clean install of an app, only to replace the codebase over time with additional malicious functionality through updates or by changing the configuration and behavior of an otherwise clean app via a connected server.  

Whether or not you download an app from an official store, there is always some risk that the app will not behave in the way you expect. If there are indications that all is not well -- such as power drain, unexpected ads, or high levels of requested permissions without purpose -- it's often safer to remove new apps and perform a malware scan. 

CNET: Uber in talks with Los Angeles as scooter location data lawsuit looms

"Regardless if downloaded from official marketplaces or third-party ones, it's always recommended to go through user comments and app ratings, as user feedback can be a strong indicator of deceiving or malicious behavior," Bitdefender added. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards