Researchers find more malware-infested apps on Google Play
Security researchers have discovered several apps on the
Google Play store harbouring the Bankbot app.
According to blog posts by SfyLabs and Zscaler, the apps are
called 'Earn Real Money Gift cards'
(package name: com.moneygift.real.app) and 'Bubble Shooter Wild Life'
(package name: com.bubblesooter.wildlife). Both are by the same author. Both
companies said they have told Google about the apps. At the time of writing,
both apps were still available to download.
Researchers said that the first app contained Bankbot while
the second contains a dropper, malware used to install other malware when
instructed.
The second app, Bubble Shooter Wild Life, takes advantage of
the Android Accessibility Service feature.
“Upon preliminary analysis of 'Bubble Shooter Wild Life', we
were able to confirm it to be malicious and capable of abusing Android's
Accessibility permission to install additional apps without user's permission,”
said Gaurav Shinde, Android security researcher at Zscaler.
He said that the app was protected using Allatori
Obfuscator.
“Most recent malware families have started using
obfuscators, packers, and protectors to hinder analysis from security
researchers and malware detection systems,” he said.
Shinde added that since most of the code strings were
obfuscated, they decided to write a routine to decrypt all the strings and
rebuild the APK. Once they got the strings in plain text, the analysis was
straightforward.
Both sets of resarchers noted that the malware fails to work
at different points, leading them to believe the malware is under development.
“It looks like the developer is still working on improving
his dropper app. Any new update to the app (the last one was two days ago) can
add an embedded APK which will be installed after the app is started,” said
Wesley Gahr and Niels Croese of SfyLabs.
“With a simple campaign on social media the app can be
spread rapidly, especially since the app appears to be a normal and fun game to
the average user. As we have long expected droppers will probably become more
common and be rented out as a service,” they added.
Marta Janus, malware researcher and reverse engineer at
Cylance, told SC Media UK that organisations should educate employees not to install
any untrusted software - or any unnecessary software at all - on the BYOD
devices that they use to access corporate resources.
“In this particular case, the situation is a bit
complicated, as the malicious application somehow managed to go through the
Google evaluation, which - for many users - is enough to assume the software is
legit,” she said.
“However, it's not the first time malware appears on Google
Play store, and although it happens less often now, since vetting processes
have been implemented, users should still be vigilant and think twice before
they install applications on their corporate-connected devices, even if the
source is official app store.”
Javvad Malik, security advocate at AlienVault, told SC media
UK that a lot of these attacks are using newer obfuscation techniques to bypass
Google's security checks.
“As their popularity will increase, it is likely that Google
will increase the rigour of its checks to filter out such apps. While total
security is not possible, the official Google play store should remain by and
large a trusted repository,” he said.
