Serving up malicious ads, while potentially stealing credentials and financial information, dozens of Android malware apps have snuck onto the Google Play Store, where they have been downloaded more than two million times.
Uncovered by security researchers at Bitdefender, the 35 apps trick Android users into installing them from the Google Play Store by pretending to offer some useful functionality such as editing images or GPS tracking. Once installed, the malicious apps change their name and icon – sometimes posing as the Settings app – making them difficult to find and uninstall.
If the user clicks on the fake Settings icon, the malware app launches hidden from view and then launches the legitimate Settings app.
Once installed, the malicious apps serve intrusive advertisements, generating fraudulent impressions and ad revenue for their operators. They also offer the ability to install additional malicious software on a compromised device, which can steal credentials and financial information.
While all of the detected apps are clearly malicious, their developers were still able to upload them to the Google Play Store and even push out updates which made the apps better at hiding on devices.
Bitdefender identified the Android malware apps using a new real-time behavioural technology designed to detect precisely such dangerous practices.
“Just because we download an app from the official store doesn’t mean it will be safe,” according to a BitDefender blog post.
“While official stores are usually very good at weeding malicious or dangerous applications out, some history shows that a small number of bad apps manage to get through and make victims until they get reported.”
Simple rules to help keep smartphone users stay safe include:
Don’t install apps that you don’t really need
Remember to delete apps you no longer user
Be wary of apps with a large number of downloads, yet few or no reviews
Be wary of apps that request special permissions, like Drawing over apps or access to Accessibility
Be wary of apps that request access to permissions that have nothing to do with the advertised functionality
Always run a security solution in the background that can detect malicious behaviour