Twenty-five apps found in late August on the Play Store by researchers were observed, and no malicious behavior was detectable when initially installed. However, malware configuration files were downloaded by the apps after time passed. Malicious components enabled modules that hid the app’s icons and displayed ads at random intervals even when the app was closed. This helped the attackers behind the scenes to make a profit using infected devices. Play Protect was able to be avoided by the attackers because the faulty fashion and photo utility app’s malicious functions were not hardcoded in the APKs when submitted for review. “Instead, the switch is controlled remotely via the downloaded configuration file, allowing the malware developer to evade Google Play’s rigorous security testing. These 25 malicious hidden apps share a similar code structure and app content, leading us to believe that the developers may be part of the same organizational group or, at the very least, are using the same source code base,” says the researchers that discovered the apps. All of the 25 apps that were discovered have since been removed by Google after being reported on September 2nd.
Play Protect is already a strong protection solution, but since this tactic finds a way to avoid it, it puts users in a tough situation. Users should remove any apps that are unnecessary and not being used. If suspicious activity is noticed and seems to be coming from an app they have download, they should report it to Google Play immediately.