The Google Play app store has a reputation as the safest place online to get Android apps, and Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.
We’ve encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed. The same code was published on Google Play with a slightly different name under a new publisher.
This malware (Android.Reputation.1) appears on the Play Store hidden in at least seven apps in the U.S. offering fun, useful, and sometimes insidious features. These include emoji keyboard additions, space cleaners, calculators, app lockers, and call recorders. None of the samples we analyzed actually functioned as advertised on their Google Play pages. Once the app is installed, it takes various measures to stay on the device, disappear, and erase its tracks.
All of these apps have the same set of tricks designed to take advantage of the device user, including:
1) Waiting before undertaking the scam. The malware is configured to wait for four hours before launching its malicious activity, so as not to arouse user suspicion straight away. If the user isn’t tipped off right after app installation, they’re less likely to attribute strange behavior to the true culprit.
2) Requesting admin privileges. The app is looking to raise the barrier for its uninstallation and is usurping trusted branding to pull it off. The app uses the Google Play icon when requesting device administrator privileges.
3) Keeping the victim in the dark. The app has the ability to change its launcher icon and its “running apps” icon in the system settings once installed. Again, it uses well-known and trusted icons—specifically that of Google Play and Google Maps—to allay suspicion.
4) Delivering content to the device for profit. It should be noted that this is highly configurable and extensible. Currently, ads are pushed to the phone via Google Mobile Services, and URLs are launched in web views that redirect to the kinds of “you won” scam pages that we’ve outlined in a previous blog.
This configuration takes advantage of the legitimate and ubiquitous “Firebase Messaging” service, copying yet another service into a command and control (C&C) service.
Although malware appearing on Google Play leads the field in sophistication, there are patterns apparent. The package names we’ve seen reappearing on the Play store are a weak point in the evasion that’s being used:
Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behavior. This is the approach behind our mobile security technology, Symantec Mobile Insight.
Stay protected from mobile malware by taking these precautions:
- Keep your software up to date
- Do not download apps from unfamiliar sites
- Only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, such as Norton or SEP Mobile, to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect this malware as: