The initial apps in Google Play were safe, but the creators found a way around the Play Store’s protections to install malware on Android users’ devices. Here’s how it happened and how to stay safe.
A November report from ThreatFabric revealed that more than 300,000 Android users unknowingly downloaded malware with banking trojan capabilities, and that it bypassed the Google Play Store restrictions.
The cybercriminals developed a method for successfully infecting Android users with different banking trojans, which are designed to gain access to user account credentials. The first step was to submit apps to the Google Play Store that had almost no malicious footprint and that actually looked like functional, useful applications, such as QR Code scanners, PDF scanners, cryptocurrency-related apps or fitness-related apps.
Once launched, these apps asked the user to do an update, which was downloaded outside of the Google Play Store (sideloading technique) and installed the malicious content on the Android device.
So, while the initial application did not contain anything malicious, it provided a way to install the malicious content after the installation was done, making it fully invisible to the Google Play Store.
The attackers were careful enough to submit an initial version of their applications, which did not contain any download or install functionality, and later updated the applications on the Google Play Store with more permissions, allowing the download and installation of the malware. They have also set restrictions by using mechanisms to ensure the payload was only installed on real victims’ devices and not testing environments, making it even harder to detect.
ThreatFabric discovered four different banking Trojan families: Anatsa, Alien, Hydra and Ermac, with Anatsa being the most widespread.
The security of the Google Play Store
Google Play is the major repository for Android applications, and any developer can submit his or her own application to the Play Store. The submitted application will then go through an app review process to ensure that it is not malicious and does not violate any of the developer policies.
These policies mostly involve ensuring that the content of the app is appropriate, that it does not impersonate or copy other apps or people, that it complies with monetization policies, and provides minimum functionality (it should not crash all the time, and it should respect the user experience).
On the security side, apps submitted should of course not be malicious: It should not put a user or their data at risk, compromise the integrity of the device, gain control over the device, enable remote-controlled operations for an attacker to access, use or exploit a device, transmit any personal data without adequate disclosure and consent, or send spam or commands to other devices or servers.
Google’s process to examine submitted applications also includes permission verifications. Some permissions or APIs, considered sensitive, need the developer to file special authorization requests and have it reviewed by Google to ensure the application does really need those.
Malware and PUA on the Google Play Store
While being very aware and actively deploying constant new methods to tackle malware, the Google Play Store can still be bypassed in rare cases. The whole review process applied to application submissions for the Google Play Store makes it really hard for cybercriminals to spread malware via the platform though it is unfortunately still possible.
A study released in November 2020 by the NortonLifeLock Research Group revealed that among 34 million APKs spread on 12 million Android devices, between 10% and 24% of it could be described as malicious or potentially unwanted applications, depending on different classifications. Of those applications, 67% were installed from the Google Play Store. The researchers mention that “the Play market is the main app distribution vector responsible for 87% of all installs and 67% of unwanted installs. However, its is only 0.6% vector detection ratio, showing that the Play market defenses against unwanted apps work, but still significant amounts of unwanted apps are able to bypass them, making it the main distribution vector for unwanted apps. In the end, users are more likely to install malware by downloading it from web pages via their device browsers or from alternative marketplaces.
How to protect your Android device from malware
With a few steps, it is possible to significantly reduce the risk of having an Android device being compromised.
- Avoid unknown stores. Unknown stores typically have no malware detection processes, unlike the Google Play Store. Don’t install software on your Android device which comes from untrusted sources.
- Carefully check requested permissions when installing an app. Applications should only request permissions for necessary APIs. A QR Code scanner should not ask for permission to send SMS, for example. Before installing an application from the Google Play Store, scroll down on the app description and click on the App Permissions to check what it requests.
- Immediate request for update after installation is suspicious. An application that is downloaded from the Play Store is supposed to be the latest version of it. If the app asks for update permission at the first run, immediately after its installation, it is suspicious.
- Check the context of the application. Is the application the first one from a developer? Has it very few reviews, maybe only five-star reviews?
- Use security applications on your Android device. Comprehensive security applications should be installed on your device to protect it.