Google’s efforts to keep its mobile app store free of malware-laden applications appears to be very much a work in progress considering the recent success cyber-criminals have had uploading rogue software to it.
This week two security vendors issued separate advisories warning about finding malware-infested applications on Google Play.
Check Point Software said it had discovered at least 50 Android applications on the mobile app store tainted with malware designed to surreptitiously send fraudulent premium SMS messages and charge users for fake services.
Check Point said that applications containing the Android malware, dubbed ExpensiveWall, had been downloaded between 1.2 million and 4 million times. ExpensiveWall, according to Check Point, is a variant of a malware strain that was discovered infecting a popular Android photo app on Google Play only earlier this year.
Between the two incidents, the malware family has been downloaded between 6 million and 21 million times, Check Point said citing Google Play data.
Google removed the most-recent batch of infected applications promptly from Play after Check Point informed the company about the issue on Aug. However, a mere few days later, another application containing the malware again became available on Google Play and infected more than 5,000 Android devices before Google removed that one as well, Check Point said.
According to the security vendor, users who downloaded the applications are still at risk and need to uninstall the software. The Check Point blog contains a comprehensive list of all Android applications on Play that the company found infected with ExpensiveWall. The names of the apps suggest that a majority of the infected software was wallpaper applications.
Google did not respond immediately to a request seeking comment on whether the company had notified Play customers who had downloaded the malware to urge them to uninstall the malware.
The second advisory was from Trend Micro, which said it had found four applications on Google Play that were infected with new versions of BankBot, a malware for stealing user credentials to online bank accounts.
The newest versions were designed to steal credentials of customers of 10 banks in the United Arab Emirates, Trend Micro said in an advisory this week. The malware has since been removed but not before one of the applications was downloaded between 5,000 and 10,000 the security vendor reported.
Check Point described ExpensiveWall as malware that sends premium SMS messages and registers victims to premium services without their knowledge or consent. If a user downloads the malware, it requests permissions commonly associated with other applications such as permission for Internet access and SMS permissions.
“Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play,” Check Point researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov wrote.
Unlike previous versions of the malware, ExpensiveWall uses an advanced obfuscation technique to evade the anti-malware protections that Google has built into Play, the researchers said. The malware can easily be tweaked to carry out more dangerous tasks such as stealing data from the victim’s phone or to spy on them.
This is by far not the first time that security researchers have found malware-laden applications on Google Play, which is widely regarded as the safest source for Android applications.
In April, two security vendors separately warned about discovering malware on Play. One of the alerts was from Zscaler about a spyware tool masquerading as a system update that had been downloaded between 1 million and 5 million times. The other was from Securify and warned of banking malware posing as a legitimate application on Google Play.
The same month PhishLabs discovered 11 Android apps masquerading as payment applications on Play. In May, Google was forced to purge dozens of applications from its app store after Check Point found they were designed to trick users into clicking on ads on a massive scale.
Google has added new controls to try and address the problem. The most notable among them is Google Play Protect, an always-on antivirus service that scans for malware on Android applications uploaded to Play and running on user devices.
