A type of malware for Android keeps finding its way onto the Google Play store, despite concerted efforts from Google to banish it from the online marketplace. The malware in question is called ‘Android.Spy.277.origin’ and has so far been found in hundreds of apps – giving Google hell – as it tries to eradicate it from its online marketplace.
According to security researchers at Russian firm Doctor Web, Android.Spy.277.origin is still hiding in many ‘sketchy’ apps on the Google Play store, despite attempts from Google to clean up the online marketplace. Most of the time the apps in question serve a legitimate function, but unfortunately, also come with the malicious code, which once installed allows cyber criminals to have a backdoor into the Android device.
The way that the malware works is quite sophisticated, first disguising as a popular app and then using social engineering to convince the user to download another piece of software an APK called ‘polacin.io.’ Once the Android user has been fooled into downloading both parts of the program, the attacker can start collecting all sorts of information about the Android user – completely unbeknownst to them.
Amongst the data that is sent back to the attacker’s command and control center are their email address, information about the type of hardware the victim has, and even their location. In fact, in total around thirty different personally identifying individual pieces of data are sent back to the remote server.
According to the Russian researchers at Doctor Web – a company that specializes in identifying malware – the hackers use their position within the Android smartphone or tablet to make money either by ad click fraud or by recommending apps that open users up to further malware,
‘A Trojan for Android that steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store.’
Doctor Web’s website also goes on to list the 104 apps that it knows contain the offending code. Useful, considering that it is believed around 3.2 million different consumers may have downloaded apps containing the trojan. If anyone is suspicious that they may have recently downloaded an app that is causing them problems, then they would be well advised to check the list.
How to remove the Malware
Also useful, the website goes on to give details about how people can proceed with eliminating the virus from their system if they think they have accidentally downloaded it. This advice appears in a section called ‘curing recommendations’:
‘If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount, or you will see some other announcement that prevents you from using the handheld normally), do the following:
Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
Switch off your device and turn it on as normal.’
Sadly, this is not the only instance of this type of virus being found on the official Google Play Store. Researchers at Check Point also found trojans with similar capabilities in other similar malware called Kemoge and Libskin. Last year Check Point revealed that an infected Android app called Brain Test had been downloaded from the Google Play store between 200,000 and a million times. What was interesting about that particular app, was the way in which it managed to avoid detection by Google’s ‘Bouncer’ technology – a tech that is meant to spot illegitimate and unwanted apps.
The list goes on and on, researchers at ESET also found a trojan called Mapin hiding in fake versions of the popular games “Plants vs Zombies 2”, “Traffic Race” and “Temple Run 2 Zoombie”. Demonstrating that this is anything but a solitary case, but instead is something that users need to be acutely aware of when they are dowloading apps from the official Google Play store.
An important thing to remember (in general), is that any time an app is asking for extra permissions that do not seem to fit with its purpose, it may be using those permissions to perform actions that the user did not want. As in the case of these Trojan’s when user information is sent back to the Command and Control server, and adverts are served up against the user’s will.
One thing is for sure, using official app stores to download apps will only go so far in protecting users. An element of good sense needs to be used also; try to stick to apps by recognised app makers whenever possible, also avoiding unnecessary downloads if at all possible. While also being sure to have a good virus detector for Android installed and updated regularly.