Malware sneaks into Google Play - Business Today News
Connect with us

Innovation

Malware sneaks into Google Play

It poses improved ability to bypass Google Play’s protection mechanisms, according to ESET

Published

on


ESET, a leading global cyber security company, has discovered another set of malicious apps in the official Android app store.

Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, the eight apps form a new family of legitimate-looking, multi-stage Android malware, and with delayed onset of malicious activity.

Eset has since notified Google’s security team about the issue. Google has removed all eight apps from its store; users with Google Play Protect enabled are protected via this mechanism.

Eset-300x76 Malware sneaks into Google Play

Figure 1 – Six of the multi-stage downloaders discovered on Google Play

Anti-detection features

None of the apps, that have advanced anti-detection features had reached more than a few hundred downloads. The malware samples all employed a multi-stage architecture and encryption to stay under the radar. After being downloaded and installed, the apps tended not to request any suspicious permissions and even mimic the activity the user expects them to exhibit.

Along with this, the malicious app also decrypts and executes its first-stage payload which in turn decrypts and executes the second-stage payload, which was then stored in the assets of the initial app downloaded from Google Play. The steps remained invisible to the user and served as obfuscatory measures.Eset-300x76 Malware sneaks into Google Play

Figure 2 – Execution model of Android/TrojanDropper.Agent.BKY

The second-stage payload contained a hardcoded URL, from which it downloaded another malicious app (that is, the third-stage payload) without the victim’s knowledge. After a pre-defined delay of approximately five minutes, the user was then prompted to install the downloaded app.

READ: Stock market will weather political storm: NSE CEO

The app downloaded by the second-stage payload, disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, the app’s purpose was to drop the final payload and obtain all the permissions that payload needed for its malicious actions.

Eset-300x76 Malware sneaks into Google Play

Once installed and having the requested permissions granted, the malicious app serving as the third-stage payload decrypted and executed the fourth-stage – and final – payload.
In all the cases investigated by ESET, the final payload was a mobile banking trojan. Once installed, it behaved like a typical malicious app of this kind: with potential to present the user with fake login forms to steal credentials or credit card details.
One of the malicious apps downloaded its final payload using the bit.ly URL shortener. Thanks to this, ESET was able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.

Eset-300x76 Malware sneaks into Google Play

Figure 4 – Download stats for the final payload of one of the malicious apps, as of November 14, 2017

How to get rid of it

If you’ve downloaded any of these apps, you need to (i) deactivate admin rights for the installed payload, (ii) uninstall the surreptitiously-installed payload and (iii) uninstall the app downloaded from the Play Store.

To deactivate admin rights for the installed payload, go to Settings > (General) > Security > Device administrators  and search for Adobe Flash Player, Adobe Update or Android Update.

To uninstall the installed payload, go to Settings > (General) > Application manager/Apps and search for the particular apps (Adobe Flash Player, Adobe Update or Android Update) to uninstall them.

To uninstall the malicious app downloaded from the Play store, go to  Settings > (General) > Application manager/Apps and search for apps going by the following names: MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO.

Note that the settings structure may vary slightly depending on Android version.

How to stay protected

Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.


Business Today is the leading independent online business website in Kenya. Started in 2012 by a veteran business journalist, it has a huge following both in Kenya and abroad. It covers various business and related issues. Email editor at: [email protected]

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

News Updates

NEWS20 hours ago

Ruto promises tough action of corrupt individuals

Deputy President calls on the Director of Public Prosecution and the Ethics and Anti-Corruption Commission to move fast and bring...

Health1 day ago

Shaving pubic hair increases STIs risk, survey shows

Pubic hair grooming has also been linked to an increased number of sexual partners, as people that frequently groom their...

NEWS1 day ago

Protests as police force bearded female tout to undress

The abnormal, excessive growth of thick hair in areas not commonly associated with women is as a result of hirsutism,...

NEWS2 days ago

Top Pipeline officials homes raided in Sh647m fraud probe

EACC CEO Halakhe Waqo said anti-graft detectives seized several documents and records from the raided homes, and would use them...

NEWS2 days ago

Law firm to appeal 15-year jail term for woman who slept with 16-year-old boy

In her defence, Judith Wandera said looking at his physical appearance, the boy did not appear a minor

NEWS2 days ago

CITAM signs deal to live stream church services to Gen Z

Church says network will enable it to faithfully live out its vision with this generation, which comprises the pre-churched, un-churched...

NEWS2 days ago

Kenya now blacklists Miguna Miguna

The move is seen as aimed at avoiding another ugly specter at the Jomo Kenyatta International Airport similar to the...

NEWS3 days ago

British pensioner guilty of Kenya ‘holiday ‘ rape charges

The Crown Prosecution Service (CPS) said Keith Morris, 72, befriended the young victims' families over the past 20 years, giving...

Health4 days ago

US surrogacy agency withdraws from ‘perilous’ Kenya

Sensible Surrogacy now recommends new lower-cost programmes in the United States, which it says are completely safe and have the...

NEWS4 days ago

Kenya to reform laws to enhance biodiversity conservation

Tobiko says the ministry of Environment has formulated and reviewed laws and regulations to implement the provisions of the constitution...

Advertisement

Trending