Researchers recently discovered a dozen malware-laden apps in the Google Play store. Learn about these apps and how to protect your mobile device from them.
People love installing apps on their mobile devices. They have downloaded a whopping 28.7 billion programs from the Google Play store and 9.1 million apps from the Apple App Store in the second quarter of 2020 alone. Before including programs in their stores, both Google and Apple put them through a vetting process to weed out malicious apps. However, some still make it into their stores.
This happened recently in Google Play. On July 7, 2020, security researchers at Avast announced they discovered a Cerberus banking trojan disguised as a currency-converter app in the store. The malicious app was downloaded more than 10,000 times before it was discovered. Then, just two days later, security researchers at Check Point Software Technologies revealed that they found 11 apps in Google Play that contained the Joker malware. The 11 apps were downloaded a total of 500,000 times.
The Cerberus Banking Trojan
Cybercriminals have been using the Cerberus banking trojan to steal personal and financial data from Android device users since 2019. The hackers use various methods to get the trojan on victims’ devices, including through malicious websites, bogus Adobe Flash Player installers, and fake apps, according to security experts. In the attack discovered by the Avast researchers, cybercriminals used a phony currency-converter app called “Calculadora de Moneda” (which translates to “Currency Calculator”) to target Android device users in Spain.
When people first started downloading the Currency Calculator in March 2020, it was functional and did not exhibit any malicious behavior. This served two purposes. First, it gave users a false sense of security. Had the app not worked or started exhibiting suspicious behavior, users might have removed it from their devices. Plus, it might have attracted the attention of security researchers. Second, it gave the app time to grow a user base. A higher number of users means a higher number of victims.
It wasn’t until mid-June that malicious code first started appearing in newer versions of the Currency Calculator. However, that code wasn’t activated until July 1, at which point the app downloaded the various components needed for the attack and installed them on victims’ devices.
Cybercriminals can customize Cerberus to perform a variety of malicious acts, including logging keystrokes, viewing contact lists, reading text messages, and even capturing two-factor authentication (aka two-step verification) details. In this case, the hackers used it to carry out overlay attacks. In this type of attack, Cerberus creates windows that look like the message and input screens in apps for popular online services (e.g., the home and login screens in banking, email, and social media apps). When victims open those apps, Cerberus lays the copycat windows over the legitimate screens. The victims think they are interacting with the legitimate apps, but they are really interacting with the malware. As a result, any personal information they enter (e.g., login credentials, account details) falls into the hackers’ hands.
The Joker Malware
Cybercriminals have been using the Joker malware to attack Android device users since 2017. They create apps that appear to be legitimate but have the malware hidden inside. Besides stealing contact lists, device information, and text messages, the malware signs its victims up for pricey subscription services without their knowledge.
When the Check Point researchers analyzed the 11 apps they found in Google Play, they discovered that the cybercriminals used a new strain of Joker. For the first time, the malicious payload was hidden in the metadata of the Android Manifest File. Every app in Google Play must include this file. It contains information about the app, such as its package name, components, and permissions.
Both the malicious payload remained dormant during Google Play’s vetting process so it would not be detected. Only after the apps were approved was the Joker code loaded and executed.
This Joker strain was found in 11 different apps, including a file recovery app, an image compressor, a memory game, and a couple of apps that provided cheerful messages. Here are those apps:
What You Can Do to Protect Your Mobile Device from Malicious Apps
If you have any of the aforementioned apps on your mobile device, you should uninstall them. You should also take some measures to reduce the risk of getting malware from malicious apps in the future:
Don’t Forget about Your Company’s Mobile Devices
Company-owned mobile devices can also become infected with malware if a malicious app is installed on them. Therefore, it is important to protect those devices as well. Besides implementing basic measures (e.g., installing a security solution, regularly updating software), you should discourage or prevent employees from installing unsanctioned apps on the devices. This could be as simple as specifying what can and cannot be installed on the devices in your company’s acceptable use or mobile device policy. If there are numerous mobile devices, you might want to use a mobile device management (MDM) solution to secure, manage and monitor them. We can go over your options and help you select the best way to secure your company’s mobile devices.