May Ying TeeSoftware Engineer
Martin ZhangPrinc Software Engineer
In recent times we’ve seen multiple malicious apps found in the Google Play Store by various cyber security firms, including Symantec, yet this problem doesn’t seem to be dissipating. We have uncovered another wave of malicious apps in the Play Store which have been downloaded more than 2.1 million times. We reported these apps to Google on September 2, 2019, and they were removed from the store.
A total of 25 Android Package Kits (APKs), mostly masquerading as a photo utility app and a fashion app, were published under 22 different developer accounts, with the initial sample uploaded in April 2019. These 25 malicious hidden apps share a similar code structure and app content, leading us to believe that the developers may be part of the same organizational group or, at the very least, are using the same source code base.
Figure 1. Hidden app malware on Google Play
Remote configuration file
When first installed, the app’s icon is still visible on the device, enabling the user to open and interact with the app normally. However, unbeknownst to the user, a request is made in the background via a third-party service to download a remote configuration file.
Figure 2. Partial extract of malware’s code shows how configuration file is requested
We intercepted the configuration file and spotted several different configurations including one that can toggle the app’s icon-hiding behavior, as well as other advertisement-related settings. For other APKs, the icon-hiding and advertisement-displaying behavior was disabled.
Figure 3. Partial extracts of configuration files downloaded from remote server containing multiple name-value pairs, showing true (left) and false (right) for icon hiding and other advertisement related configurations
Once the configuration file is downloaded, the malware extracts the settings and applies them. From the malware code, we can see th ..
Support the originator by clicking the read the rest link below.
