The people most at risk of downloading Android malware on their mobile devices are those who install apps from unofficial third-party mobile application stores. But that doesn’t mean that those who download apps from Google’s official Google Play store are completely immune to malicious software.
PhishLabs, a company that provides anti-phishing services, this week said it has discovered 11 malicious applications disguised as mobile apps for popular online payment services on Google Play since the beginning of this year.
The applications purport to give users access to their online payment accounts from their mobile devices, PhishLabs security analyst Joshua Shilko said in a blog post this week. But in reality, the only functionality the apps have is to collect the user’s logon credentials and personal data and to send that to a remote command and control server belonging to the malware authors, Shilko said.
PhishLabs did not identify the 11 payment brands whose apps were spoofed and uploaded to Google Play. According to Shilko, 10 of the companies whose customers are being targeted by the malicious apps provide links in their Websites directly to their mobile applications. One of the companies being targeted explicitly notes on its Website that it has no mobile application, he added. All of the apps appear to have been developed by the same malware author or authors.
Android owners who mistakenly download and use the fake apps are presented with a Web page designed to look and act like the real brand’s Web page. Any logon credentials a user supplies to the fake app are immediately sent to the attacker.
The phishing apps then present the user with more forms seeking additional information such as the answers the user might have supplied to the apps’ security questions. Once the malware has collected and sent all the information, it presents the user with an error message claiming that either the username and password combination was wrong or some other similar error.
Google did not respond to a message seeking information on how the same attackers might have managed to upload 11 malicious apps to its Google Play store since the beginning of January.
Google, which used to have relatively little controls for checking the security of applications loaded to its Android app store, these days reviews all submissions using a combination of manual and automated security testing processes.
But the presence of the malicious payment apps in Google Play suggests more work needs to be done in this regard, Shilko said. All of the malicious applications that PhishLabs identified went through Google’s security review process. The fact that none was identified as malware, despite some obvious red flags, raises questions about the effectiveness of Google’s security review processes, he said.
In separate comments to eWEEK, Shilko said PhishLabs has been communicating with Google regularly regarding each application as it is detected. “We also communicate with the registrars and hosting providers whose infrastructure is being utilized for the related phishing content,” he said. “At of the time of publication, all of the applications referenced in the post had been removed except for one.”