Another malware hiding place has been discovered in Google Play store. It was immediately removed from the official Android app store but not without damage, the apps which have been carrying the malware were downloaded by tens of thousands of users. Researchers at ESET counted eight apps that contained Trojan Dropper in Google Play available for download. Trojan Dropper is a type of malware that gives attackers the chance to drop many other harmful malwares that vary from spyware to banking Trojans.
Most of these apps had the looks of an innocent news apps or cleaners for smart phones; they looked absolutely legitimate while they contained malicious functions that were hid with the help of obfuscation and delaying installation of their harmful payloads to the victim device.
Some of the apps that were detected by ESET researchers are: an Android cleaner called “Clear Android” by DMITRII SHIPOV, “MEX Tools” by A GONCHARENKO, “Cleaner for Android” by ROZA PESHKOVA, and a news app called “World News” by OLGA DUMANSKAIA, “World News PRO” by V. STOLPOVSKII, and “WORLD NEWS” by V. STOLPOVSKII. After the infected app is installed, which does not require any suspicious permission in order not to discourage users from downloading and installing it, the app behaves as the user would expect of it by the means of mimicking similar apps to which it supposed to be whether its news aggregation app or a phone cleaner. This mimicking tactic is a well known and is becoming more common tactic among harmful and malicious software developers.
While this normal, ordinary behavior act is put on by the app in front of the user, the app starts to execute its multi-step process payloads in the background. Once the app has decrypted and executed the first stage, the latter handles the decryption and execution of the second stage which contains a hardcoded URL that the app uses to download the third and final stage which contains a new malware. Since all of this is running in the background without the user noticing anything suspicious, the only hint or alarm you can get is that after a few minutes waiting you will be prompted to update an app or install a new one. This new installation will now ask for further sensitive permissions like reading your contact list, sending and receiving text messages or phone calls, or the ability to modify on your storage.