Threat actors use versioning to bypass Google Play Store’s malware detection and target Android users.
In its August 2023 Threat Horizons Report shared with The Hacker News, Google Cybersecurity Action Team (GCAT) revealed that campaigns using versioning often target users’ credentials, data, and finances. Although versioning is not new, it remains elusive and difficult to detect.
Malicious apps employ sneaky versioning techniques
The technique involves releasing an app’s initial version on the Play Store, passing Google’s checks, and subsequently updating it with a malware component.
Attackers achieve this by pushing updates from a server they control, using dynamic code loading (DCL) to transform the app into a backdoor.
In May, ESET found “iRecorder – Screen Recorder,” a screen recording app, which stayed benign on the Play Store for almost a year before stealthy malicious alterations were made to spy on users.
Another instance of DCL-based malware is SharkBot, which has frequently posed as security and utility apps on the Play Store.
SharkBot functions as a financial trojan, executing unauthorized money transfers from compromised devices via the Automated Transfer Service (ATS) protocol.
Dropper applications found on the storefront initially have limited functionality. Once users install them, these apps download the complete malware to attract less attention.
The company emphasized the need for defense-in-depth principles in enterprise settings, including restricting app installations to trusted sources like Google Play and managing corporate devices through a mobile device management (MDM) platform.
ThreatFabric disclosed that malware distributors exploit an Android bug to make malicious apps appear benign by “corrupting components of an app” while keeping the overall app valid, as reported by KrebsOnSecurity.
To reduce potential risks, it is advisable for Android users to download apps only from trusted sources and activate Google Play Protect to receive notifications when a potentially harmful app (PHA) is detected on their device.