Four separate malware campaigns, targeting Android users, have been discovered in the Google Play Store in the last few days. The malware, discovered by different security companies, McAfee, Malwarebytes, Dr.Web and ESET, were disguised as legitimate Google Play apps and managed to get millions of downloads. This is not the first time malware has been found in Google Play, but four separate malware campaigns in just a few days is rather alarming.
Grabos malware found in 144 Google Play apps
As McAfee details in a report, Grabos malware was discovered in 144 apps on Google Play Store. The company’s Mobile Research team first discovered the malware in Aristotle Music audio player 2017, a free audio player app. Since then, 144 apps on Google Play has been found to contain the Grabos malware.
McAfee notes that Aristotle had a good rating and millions of downloads, which is enough for many users to trust an app. In addition, the 34 apps that the research team was able to investigate also had good ratings, on average 4.4, and plenty of downloads. More specifically, between 4.2 and 17.4 million.
According to McAfee, the reason the apps were able to bypass Google Play’s security measures is because the malware’s code is protected with a commercial obfuscator, which purposely makes it difficult to examine an app without opening it first.
The malware aims to fool users into downloading and installing apps by showing fake notifications. So it is safe to say that it is trying to make a profit by promoting app installations.
AsiaHitGroup malware makes it difficult to identify it
Security researcher from Malwarebytes recently discovered that malware has been posing as legitimate apps on Google Play. The malware, named AsiaHitGroup, was first discovered in a QR scanner app with the name “Qr code generator – Qr scanner” but was also later found in an alarm clock app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app.
When users download the app, it will work as it should the first time. However, after the user exists, it disappears. Users will not be able to find it anywhere by name, which makes it difficult to get rid of. The researcher notes that the app then disguises itself as Download Manager. If users are not familiar with what apps they have installed, finding the malware manually is basically impossible.
The malware will check your location first thing upon entry. If you are located in Asia, hence the name AsiaHitGroup, it will download an SMS Trojan, which would subscribe to premium phone numbers via SMS.
Trojan found in 9 apps with downloads between 2.37 and 11.7 million
Software company Dr.Web discovered a Trojan in 9 apps on Google Play. The threat, named Trojan Android.RemoteCode.106.origin by the company, would open websites without the user knowing and help make ad revenue for the owners of those sites. Dr.Web’s report also notes that the Trojan could be used to perform phishing attacks and steal confidential information.
The 9 apps that were discovered to contain the malicious code varied from games to backup apps. According to Dr.Web, the Trojan was found in the following apps:
- Sweet Bakery Match 3 – Swap and Connect 3 Cakes 3.0;
- Bible Trivia, version 1.8;
- Bible Trivia – FREE, version 2.4;
- Fast Cleaner light, version 1.0;
- Make Money 1.9;
- Band Game: Piano, Guitar, Drum, version 1.47;
- Cartoon Racoon Match 3 – Robbery Gem Puzzle 2017, version 1.0.2;
- Easy Backup & Restore, version 4.9.15;
- Learn to Sing, version 1.2.
Once the users downloads the app, Android.RemoteCode.106.origin will check whether the device meets the requirements. If the infected device does not have a specific number of photos, contacts or phone calls, the Trojan will not do anything. If, however, the conditions are met, the Trojan will download a list of modules, launch additional malicious modules to inflate website traffic stats and follow advertising links.
Since Dr.Web released the report, the malicious code was removed from some of the apps, while others still remain malicious.
ESET discovers multi-stage malware
A new form of multi-stage malware was discovered in 8 apps on Google Play by security company ESET. The malware, detected as Android/TrojanDropper.Agent.BKY by ESET, is basically a banking Trojan.
The apps were discovered pretty quickly, thus were only able to get a couple of hundred downloads. The malware was posing as Android cleaning or news apps. They have been since removed from Google Play Store.
Once users download the apps, they would not notice anything strange as the apps do behave as they are expected to by users, and do not ask for any strange permissions. The malware also employs multi-stage architecture and encryption to remain undetected.
When it is downloaded, it will execute its first-stage payload, which will launch a second-stage payload. The second-stage payload then downloads an app, the third-stage payload. This is happening in the background, thus the users is not aware.
As ESET explains, the users is then asked to install the downloaded app, which could be disguised as some kind of seemingly legitimate software. The malicious app would then ask the users to grant various permissions, and if the user does, the app would execute the final payload, which is basically a banking Trojan.
The banking Trojan will then show you fake login screens to obtain your credentials or credit card details.