This is the case of a new malware campaign on the Google Play Store
For the past few years, cyber-criminals have strengthened their efforts to have malicious applications listed on Google Play Store – the world’s most trafficked Android app source. While the platform’s security checks have improved through the years, our research still uncovers malicious apps that use a vast array of tricks to bypass these checks.
This is the case of a new malware campaign on the Google Play Store where numerous apps use false pretexts to lure victims into installing them, only to change their name and aggressively serve ads afterward.
Attack at a glance
- Bitdefender has identified 35 applications that have snuck into the Play Store
- These apps hide their presence on the device by renaming themselves and changing their icon, then start serving aggressive ads
- To confuse the user and conceal their presence, the applications are changing their name and icon after installation
One of the ways cyber-criminals monetize their presence on Google Play is to serve ads to their victims. While this may sound diminutive, these ads served to victims are disrupting the usage experience and can link directly to malware.
Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malwares to their victims. Most of the time, users can choose to delete the application if they don’t like it. But these new malicious apps trick victims into installing them, only to change their name and icons and even take some extra steps to conceal their presence on the device. Users can still delete them at will, but the developers make it more difficult to find them on the affected devices.
While all the detected apps are clearly malicious, the developers were able to upload them to the Google Play Store, offer them to users and even push updates that made the apps better at hiding on devices. Bitdefender identified the malicious apps using a new real-time behavioral technology designed to precisely detect these dangerous practices, among many others. This new technology is slowly being rolled out to our customer base and will become available to everyone in the coming months.
We looked at the ‘GPS Location Maps’ app as the first example. With over 100k downloads, it’s one of the more popular, but we noticed it doesn’t have any reviews. Immediately after installation, the app changes its label from ‘GPS Location Maps’ to ‘Settings’ and then shows additional websites in WebViews and an advertisement.
WebViews is part of the Android operating system that allows apps to load content like web pages, ads, and more.
The ‘GPS Locations Maps’ app makes it difficult for users to find and uninstall it by changing its icon. Also, on some devices, a few malicious apps even request permission to bypass the battery optimization feature and start foreground services notifications to stay alive and not get killed by the system.
Many of the detected apps also request permission to display over other apps, which means that they are likely also simulating user clicks to rake on profits.
Code Obfuscation Used to Remain Hidden
The developers who created the ‘GPS Location Maps’ added heavy code obfuscation and encryption to make reverse engineering difficult. The main Java malicious payload hides inside two encrypted DEX files, and the decryption occurs inside obfuscated native code. Even after decryption, the resulting Java code strings remain obfuscated.
Malicious behaviour like changing the icon, also happens in a different native ‘so’ file than the one used for decryption and remains obfuscated.
