CyberWarfare / ExoWarfare

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper

Another crop of Android apps hiding malware have been discovered in – and removed from – the Google Play store.

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.

Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.


Some of the malicious apps identfied by ESET.


Following the initial download, the app doesn’t request the suspicious permissions associated with malware and will initially mimic the activity the user expects – the latter is an increasingly common tactic by malicious software developers.

However, alongside this user-facing activity, the app secretly decrypts and executes a payloads in a multi-step process. The malicious app decrypts and executes a first-stage payload which when in turn decrypts and executes a second-stage payload. This second-stage payload contains a hardcoded URL which the malware uses to download a third-stage payload containing another malicious app.

All of this is going on in the background without the user’s knowledge until, after a five minute wait, they’re prompted to install or update an app. This is disguised to look as if it is a form of legitimate software such as update for Adobe Flash Player or the Android system itself when it it in fact the third-stage of the malware’s dropping process.

The installation request asks for permission for intrusive activities such as reading contacts, sending and receiving alls and text messages and the ability to modify and delete the contents of storage. If permission is given to install this ‘update’, Trojan Dropper delivers the third-stage payload which decrypts and executes the final payload in the form of the malware itself.

Once installed on the device, Trojan Dropper is used to install other forms of malware – the malware has been spotted attempting to deliver the MazarBot banking trojan and various forms of spyware, but researchers note it can be used to deliver any malicious payload of the criminals’ choice.

Researchers analysed the URL used to deliver the final download and found that almost 3,000 users – mostly based in The Netherlands – reached this stage of the infection. ESET has informed Google of the apps, which have now been removed from the store.

ESET’s report comes at the same time as researchers at Malwarebytes have uncovered a new form of Android trojan malware masquerading as multiple apps in the Play Store.

Disguised as innocuous looking apps such as an an alarm clock, a QR code reader, a photo editor and a compass, thousands of users have downloaded AsiaHitGroup malware from the Google Play store.

“Based on data from Google Play, the apps present in the Play store that are infected with Android/Trojan.AsiaHitGroup have been installed 10,700 to 22,000 times,” Nathan Collier Senior Malware Intelligence Analyst told ZDNet.

Like other forms of malware, AsiaHitGroup appears to look legitimate, even coming with the advertised function. However, in this instance, the user only gets one chance to use the app, because after it is closed the icon disappears.

But rather than becoming inactive, AsiaHitGroup disguises itself as the phone’s ‘download manager’ in the downloaded apps and continues to carry out its malicious activity – which in this case involves tracking the user’s location and distributing adware in order to generate money. Researchers say the geolocation tools ensure that the malware only targets users in Asia.

Like Trojan Dropper, AsiaHitGroup uses obfuscation techniques to hide itself within the Google Play store.

In bother cases, users with Google Play Protect enabled would have been protected from the malicious apps, but these are just the latest instances of malware finding its way into official application marketplace for Android users – BankBot banking data stealing malware was recently found in the store for the third time.

Google says it has a stringent security process for stopping malicious software getting into the Play store and that it keeps the vast majority of its 1.4 billion Android users safe from malware.

ZDNet has attempted to contact Google for comment but hadn’t received a response at the time of publication.




This is the easiest way to prevent malware on your Android device

A single setting could make all the difference when it comes to keeping your device secure.

Apple’s iOS is a real walled garden. With the exception of those brave enough to “jailbreak” their phones, Apple controls which apps get into its App Store, and which don’t.

On Android, it’s not so simple. Google similarly vets its own Play store, but there’s a huge loophole: Android users can allow third-party software software installations simply by checking off a button in the settings menu.

The reasons for allowing that outside Android software may range from the benign (beta-testing apps) to the nefarious (pirated software). But as ZDNet’s Zack Whittaker recently detailed, by allowing app installs from unknown sources, you’re essentially opening up your device to potential malware infections.

How to keep your Android device safe

By default, Google prevents users from installing apps from sources other than the Play store.

The best way to protect yourself is to leave the installation of apps from unknown sources disabled. It’s a good idea to double-check that the setting is still disabled, just to be safe.

Exact placement of the option will vary based on the device you own, but it generally is found in the Settings app under Security > Unknown Source.

To be clear: This doesn’t make your phone 100 percent safe. Nor does it protect you from non-software security issues, including phishing attacks and cloud-based password breaches.

That said, keeping unknown sources deactivated on your phone or tablet is a strong first line of protection that will prevent the most egregious malware from having open access to your device.

What you’re giving up

While disabling access to unknown sources is the safest course of action, it may involve some sacrifices.

For example, Android app site APKMirror requires unknown source installation to be enabled. More significantly, Amazon Underground, the retailer’s third-party app store, requires the “unknown sources” toggle to be switched, too. And that’s the only way to get the Amazon Prime Video app on Android devices. (For reasons unknown, most of Amazon’s other media apps — including the Kindle app and the Amazon Music app — are available in the Google Play store, and thus do not require unknown source access.)

But just remember: By allowing apps from those third parties, you’re also opening a de facto security hole on your device. And even if Android security is getting better, it only works if you actually keep Google’s safeguards turned on.

That’s why you should only install applications from official channels such as Google’s Play store, or for Samsung Galaxy users, the Galaxy App Store.




Google to brand certified Android devices with Play Protect logo

The Android maker will certify devices that run authentic Google apps and use the proper security and permissions model.

Google has said it will begin to place its Play Protect logo on the packaging of devices that are certified to run authentic Google apps and allow apps from its Play Store to function properly.

“Certified devices are also required to dispatch without pre-installed malware and include Google Play Protect, a suite of security features such as automatic virus scanning and Find My Device,” the web giant’s explanation states.

The Android warden has also released a list of certified partners, which, besides the usual suspects, contains a number of lesser brands out of China.

Devices that are certified will be recognisable by having a Play Protect logo on the box, Google said.

The use of Play Protect within Android began in May, when it was prominently placed in the Play Store app on the app updating panel.

Play Protect is aided by Google’s machine learning, which is trained to look for harmful apps based on scans of 50 billion apps each day. Apps are analysed before appearing on the Play Store, then Play Protect monitors apps for misbehaviour once installed on the device, running automatically in the background.

Google previously offered this functionality within Android, but it was labelled as “Verify Apps”.

Earlier this month, Google said it would change its Play Store search algorithms to have apps that do not crash or drain battery power rank higher.

The new algorithm will take into account factors such as app crashes, render times, battery usage, and number of uninstalls to determine an app’s ranking.

The company explained that the impetus for change came after it realised that around half of the one-star reviews on the Google Play Store mentioned app stability issues.