Posted: 3 Min Read Threat Intelligence

Malicious Apps Persistently Appearing on Google Play and Using Google Icons

Seven apps have been discovered reappearing on the Play store under a different name and publisher even after these have been reported.

The Google Play app store has a reputation as the safest place online to get Android apps, and Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.

We’ve encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed. The same code was published on Google Play with a slightly different name under a new publisher.

This malware (Android.Reputation.1) appears on the Play Store hidden in at least seven apps in the U.S. offering fun, useful, and sometimes insidious features. These include emoji keyboard additions, space cleaners, calculators, app lockers, and call recorders. None of the samples we analyzed actually functioned as advertised on their Google Play pages. Once the app is installed, it takes various measures to stay on the device, disappear, and erase its tracks.

All of these apps have the same set of tricks designed to take advantage of the device user, including:

1) Waiting before undertaking the scam. The malware is configured to wait for four hours before launching its malicious activity, so as not to arouse user suspicion straight away. If the user isn’t tipped off right after app installation, they’re less likely to attribute strange behavior to the true culprit.

Figure 1. The malware is configured to wait for four hours
Figure 1. The malware is configured to wait for four hours

2) Requesting admin privileges. The app is looking to raise the barrier for its uninstallation and is usurping trusted branding to pull it off. The app uses the Google Play icon when requesting device administrator privileges.

Figure 2. Using the Google Play icon while asking for admin privileges
Figure 2. Using the Google Play icon while asking for admin privileges

3) Keeping the victim in the dark. The app has the ability to change its launcher icon and its “running apps” icon in the system settings once installed. Again, it uses well-known and trusted icons—specifically that of Google Play and Google Maps—to allay suspicion.

Figure 3. The app changes its icon to emulate Google Maps
Figure 3. The app changes its icon to emulate Google Maps

4) Delivering content to the device for profit. It should be noted that this is highly configurable and extensible. Currently, ads are pushed to the phone via Google Mobile Services, and URLs are launched in web views that redirect to the kinds of “you won” scam pages that we’ve outlined in a previous blog.

This configuration takes advantage of the legitimate and ubiquitous “Firebase Messaging” service, copying yet another service into a command and control (C&C) service.

Although malware appearing on Google Play leads the field in sophistication, there are patterns apparent. The package names we’ve seen reappearing on the Play store are a weak point in the evasion that’s being used:

Figure 4. Package names used by the malware
Figure 4. Package names used by the malware

Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behavior. This is the approach behind our mobile security technology, Symantec Mobile Insight.

Mitigation

Stay protected from mobile malware by taking these precautions:

  • Keep your software up to date
  • Do not download apps from unfamiliar sites
  • Only install apps from trusted sources
  • Pay close attention to the permissions requested by apps
  • Install a suitable mobile security app, such as Norton or SEP Mobile, to protect your device and data
  • Make frequent backups of important data

Protection

Symantec and Norton products detect this malware as:

About the Author

Martin Zhang

Princ Software Engineer

Martin is a member of Symantec’s Security Technology and Response team who are focused on providing round-the-clock protection against current and future cyber threats.

About the Author

Shaun Aimoto

Technical Product Owner

Shaun is a member of Symantec’s Security Technology and Response team where he is focused on security research, and innovation on mobile platforms.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.