FacebookTwitterLinkedIn

Google Play Store Swarmed with Malware

Karolis Liucveikis Written by on

Recent reports across multiple platforms would indicate that hackers are still able to exploit the Google Play Store to upload malware with the intention of infecting Android devices. This is by no means a new phenomenon but hackers prove again that they are a resourceful bunch. No matter what countermeasures are employed a resourceful hacker will find a way to exploit the situation. In three separate instances, threat actors have looked to distribute malware using the Play Store. On September 24, security researchers at SophosLabs published an article explaining that at least 25 Android apps on the official Google Play store contain code that mines cryptocurrencies in the background. It is important to note that these apps do not inform users of the mining or in the majority of circumstances offer the user no opt-out option.

As part of Google’s developer policies the tech giant does not allow crypto miners, malware designed to mine cryptocurrencies using the user’s CPU, to be incorporated into apps. This has not stopped malware authors from including these pieces of code.

According to Sophos, over 120,000 users might have downloaded and installed the disguised apps. The programs are disguised as games, utilities, and educational apps in an attempt to mine more cryptocurrency.

google play store malware

Most of the offending applications, SophosLabs says, includes embedded code from Coinhive, a JavaScript implementation to mine for the Monero crypto-currency. Designed to use a device’s CPU for the mining process, instead of a GPU, Coinhive has become the gold standard for mining on mobile devices. Along with Coinhive, Monero is the chosen cryptocurrency.

SophosLabs explained,

“Monero has been the authors’ choice of crypto-currency for all these apps as it offers sufficient privacy to keep the source, destination, and the amount mined hidden. These apps use CPU throttling to limit CPU usage by mining, and thus avoid the usual pitfalls: device overheating, high battery drain, and overall device sluggishness,”

Interestingly of the 25 apps analyzed by SophosLabs, 11 were found to be preparation apps for standardized tests in the United States, such as the ACT, GRE, or SAT. The 11 preparation apps were also published by the same developer and contained an HTML page that implements the Coinhive-based miner. an HTML page that implements the Coinhive-based miner. Google was notified on the behavior of these applications in August and has already removed some of them, but many continue to be available for download in the Google Play Store at the time of writing.

Android-based Spyware steals data from Whatsapp

Initially discovered by Eset security researcher, Lukas Stefanko, a new strain of spyware which targets Android users and is able to steal data from Whatsapp. The spyware was discovered as an open development project and besides been able to steal data from Whatsapp accounts it also contains a variety of standard surveillance features. It was not only Stefanko who deemed the spyware important enough to warrant further investigation. G DATA SecurityLabs published a report on the spyware. It was discovered that the malware's code was deposited in a public repository titled "OwnMe" on GitHub. It also became quickly apparent that the malware is still in development. With the exception of malicious code such as ransomware, the majority of malware families will attempt to hide their presence in infected devices through covert operations and obfuscation techniques.

Another telling bit of information that indicated the spyware is still under development was a pop-up message stating “Service started” when installed. It is highly unlikely the developers would choose to inform victims they had just been infected in such a way. This is especially true when creating spyware. Although unfinished the spyware does boast a number of interesting features, the main one being the function to compromise Whatsapp data.

This function uploads the user's WhatsApp database to a command and control server using a .php query, as well as the username and the android_id variables taken from the startup process. The malware is also to use a function named getHistory() to grab titles, times, URLs and visits from user bookmarks. However, this function only fetches saved bookmarks and, at least at present, is not able to rifle through the full browsing histories of victims. Like some other spyware strains, the user’s contacts are also targeted. The spyware can access both contacts and call logs although this feature does require the user to grant the relevant permissions. Lastly, the malware will restart after the device is rebooted in order to maintain persistence.

Last, but certainly not least

In August of this year, researchers at Bitdefender discovered another piece of Android spyware which they called Triout. A particularly powerful strain of spyware it has the ability to record phone calls, monitor text messages, secretly steal photos and videos, and collect the location of the user is disguising itself in a repackaged version of a legitimate app and being distributed as part of what appears to be a targeted and sophisticated espionage campaign. According to researchers at Bitdefender, the malware has been active since at least May this year and is packaged inside a phony version of an Android app which was previously available on the Google Play store in 2016, but has since been removed. The repackaged version of the app is still signed with an authentic Google Debug Certificate.

The research initially suggests the malware originated from Russia. However, the majority of the detected samples are in Israel, pointing to the possibility of a specially targeted campaign against individuals within the country. That been said, not enough research has been done to suggest who may be responsible. Currently, it can be assumed that those behind the spyware have access to resources and knowledge to build a sophisticated form of spyware meaning, not your average hacker.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog