How Android Malware sneaks past the Google Play Protect
Hackers have distributed malware to hundreds of thousands of Android users by hiding it inside a series of apparently harmless apps. They are accomplishing this by using a technique called Dropper.
A dropper is a program/script, that has been designed to “install” a type of malware to a target system.
They don’t carry any malicious activities by themselves, but instead open a way for attack by downloading/decompressing and installing the core malicious modules. There are numerous apps slipping past Google Play Protect as they have split that dropper and the actual malware in two different parts.
Dropper was previously used to attack desktops, although they are not as effective on the desktop because of the presence of an antivirus software that detects the threats including the second-payload with more complex viruses or worms in real time. However, the effect is maximized on Android where there is no real-time anti-virus scanning app or built-in software. The only security measure is the scan that Google performs before approving the app on Google Play Store.
Google Play Protect cannot identify the dropper because they require only a smaller number of permissions and exhibit limited behaviour that could be classified as malicious. Furthermore, adding timers that delay the execution of any malicious code with a few hours also helps the malware remain undetected during Google’s scans.
Mobile malware creators consider official app stores to be the holy grail to maximize the results of infection campaigns. Getting a malicious app into an official store yields greater exposure to more potential victims, a cheap distribution channel and implied user trust. Moreover, malware apps that have already made it into an official store are more likely to fly under the radar of security controls for longer than those hosted on hijacked sites or rogue servers.
While such cybercrime services are popular with PC malware distributors, its rise in the mobile malware realm is an escalating risk factor that users and organisations should be aware of.
The Dropper method has been used predominantly by malware authors spreading versions of the Exobot, LokiBot, and BankBot mobile banking trojan but has also been adopted in the meantime by many others.
How you can protect yourself from mobile Trojans:
We recommend users take the following steps to protect themselves from mobile Trojans:
- Only rely on trusted app stores, such as Google Play or Apple’s App Store. Even though the malware slipped into Google Play, its payload was downloaded from an external source. If you deactivate the option to download apps from other sources, you will be safe from this type of trojan activating on your phone
- Before downloading a new app, check its user ratings. If other users are complaining about a bad user experience, it might be an app to avoid
- Pay attention to the permissions an app requests. If a flashlight app requests access to your contacts, photos and media files, treat this as a red flag
- Often, malware will ask to become device administrator to get control over your device. Don’t give this permission to an app unless you know this really is necessary for an app to work.
The Quixxi Security Solution
Is your mobile app for your customers handles any sensitive information (personal, health, financial) then it is a potential target for threat actors? The Quixxi Security suite assesses how secure your app is and optionally allows you to shield it against attack. All with one click, from your finished App. Head over to quixxi.com and get a free vulnerability test, it only takes a few minutes to identify where the vulnerabilities are and prevent any risks before it is too late.
