Security Vendors Warn of Banking Malware, Spyware on Google Play

Google has removed both apps from its Android Play store, but one was downloaded more than one million times since 2014.

Mobile Malware

The Google Play mobile app store is generally considered one of the safest sources for finding and downloading Android applications. That doesn’t mean it is entirely risk free though.

In recent months there have been several instances where security researchers have warned about malicious and potentially harmful applications lurking on Google Play waiting to be downloaded by unsuspecting users.

This week, there were similar warnings from two separate security firms about more such malware on Google Play.

One of the alerts was from Zscaler, which said it had discovered a spyware tool posing as a system update in Google Play. The malware appears to have been available on the Google app store since at least 2014 and has been downloaded between 1 million and 5 million times, the security vendor said in an alert Wednesday.

Zscaler discovered the malware on April 11 and reported it to Google a couple of days later. Google then removed the app in less than 24 hours, Zscaler’s director of security research Deepen Desai wrote in an email responding to questions from eWEEK.

The spyware, which Zscaler has dubbed SMSVova, was designed to monitor and relay a victim’s location to an unknown third-party in real-time using SMS messaging. In its description on Google Play, the application claimed to give users access to Android updates but it was actually being used to spy on a victim’s exact geographic location, Zscaler said.

When a user attempted to start the application, it would immediately crash and serve up an error message indicating that the update service had stopped.

In the background though, the spyware would quietly enable the victim’s device to fetch and send device location data to the attackers using specially configured SMS text messages. The malware was designed to let attackers use SMS messages to send and receive instructions and data from compromised devices.

The functionality for tracking the exact geolocation could be activated by sending a specific command over SMS to the infected device, Desai said. “Once activated, the device will send an SMS to the configured destination [with the] exact geolocation of the infected device,” he said. It is unclear what exactly the attackers were doing with that information he said.

Similar tools are available on Google Play that allows users to quietly keep tabs on children or spouses, Zcaler noted in its alert. What made SMSVova different was the fact that it was disguised as an application with a completely different function and gave user no indication of its spying capabilities, the security vendor said.

The other alert this week was from Securify. In a blog post, a security researcher from the company wrote that he had discovered banking malware hidden in a legitimate application on Google Play called Funny Videos 2017.

The Android malware was designed to grab the Internet banking credentials and credit card numbers of mobile banking customers of several dozen banks worldwide. The malware contained phishing overlays, or pages designed to look exactly like the account login pages of the targeted financial institutions, according to the Securify post.

When a mobile banking customer of any of the targeted banks attempted to log into their accounts, the malware would use the phishing overlay for that institution to grab credit card and login details.

The application was last updated earlier this month, which is when the malware was most likely added, the Securify researcher wrote.

Google has removed the malware-laden application from Play after learning about it, but between one thousand to five thousand users appear to have already downloaded it, according to the security vendor.

"Consumers have been repeatedly told that only reputable online stores should be used to download apps,” saidRobert Capps, vice president of business development at NuData Security in an emailed statement. Yet, this discovery throws that advice into question and leaves the consumer with few options,” beyond combing reviews, he said. 

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.