Apps from the official Play Store distributed Joker, FaceStealer, and Coper malware families, researchers have discovered.
Prompted by researchers, Google has removed dozens of apps spreading dangerous malware via the virtual marketplace, the Zscaler ThreatLabz team claims.
According to the researchers, the spread of Joker malware, one of the most prominent malware families targeting Android devices, is particularly interesting.
“Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques,” reads the Zscaler ThreatLabz teams report.
Threat actors use Joker malware to steal SMS messages, contact lists, and device information and to sign the victim up for premium wireless application protocol (WAP) services. The Joker malware was first observed to roam the Play Store in 2017.
According to Deepen Desai, CISO and VP Security Research at Zscaler, previously the initial malware payloads were directly downloaded from some of the known hosting servers.
"Recently, we are observing more and more multi stage payloads hidden inside the Google Play Store app and decrypted at runtime by leveraging the library executable files," Desai told Cybernews.
Fifty apps infected with over 300k downloads were discovered on the Play Store. Researchers claim that most malware-infected apps fall into two categories: communication (47%) and tools (39%). To lure unsuspecting victims into the trap, apps often design their logos after more recognizable apps such as Messenger, WhatsApp, or Google Translate.
Desai explained that it's getting more difficult to detect malware since threat actors use common libraries to hide malicious functionality in legitimate yet poorly functioning apps.
Interestingly, malicious actors put in a lot of effort to create a fasade of legitimacy. For example, the next stage payload is downloaded only if the original app is live on the Play Store. Desai said that this technique prevents malicious functionality from working if the app is being vetted and not live on the Play Store.
To avoid detection, threat actors also use executables to hide the next stage payloads, leverage commercial packers, take over notification and accessibility permissions to hides sensitive information like OTP and other SMSs making victims unaware of financial frauds.
"Recently, we are observing more and more multi stage payloads hidden inside the Google Play Store app and decrypted at runtime by leveraging the library executable files,"Deepen Desai, CISO and VP Security Research at Zscaler, told Cybernews.
FaceStealer malware was also noted to prowl the Play Store for victims. FaceStealer targets Facebook users with a Facebook login screen to harvest credentials. Researchers found that apps infected with the malware were downloaded 5k times.
A member of another malware family, Coper, was also spotted by the researchers. The trojan that targets banking apps in Europe, Australia, and South Africa masquerades as a QR code scanner.
Once installed, it releases the Coper malware, capable of intercepting and sending SMS text messages, keylogging, locking and unlocking the device screen, preventing uninstalls, and generally allowing attackers to take control and execute commands.
The end goal of the malware is to gain information and access to the victim’s financial assets and leverage the gathered information to steal funds.
Researchers warn to be particularly vigilant about downloading messaging apps and take time to ensure that the apps are well known and reviewed.
“Even when a link comes from a trusted friend asking you to download a messaging app, consider the possibility that your friend’s device may be compromised by malware and stop to confirm with them first, and then still take the time to conduct your own research and verify the app has a well-established and safe reputation before installing,” researchers claim.
More from Cybernews:
Subscribe to our newsletter