Threat Watch

Android Malware Apps With 2 Million Installs Found on Google Play

A new batch of thirty-five malware Android apps was found on the Google Play Store, with the apps installed over 2 million times on victims’ mobile devices. The apps were found by security researchers at Bitdefender, who employed a real-time behavior-based analysis method to discover the potentially malicious applications. Following standard tactics, the apps lure users into installing them by pretending to offer some specialized functionality but change their name and icon immediately after installation, making them difficult to find and uninstall. The malicious apps then begin to serve intrusive advertisements to the users by abusing WebView, generating fraudulent impressions and ad revenue for their operators. Additionally, because these apps use their own framework to load the ads, it would likely be possible to drop additional payloads on a compromised device. After installation, the apps typically assume a cog icon and rename themselves as ‘Settings’ to evade detection and deletion. If the user clicks on the icon, the app launches the malware app with a 0 size to hide from view. The malware then launches the legitimate Settings menu to trick users into thinking they launched the correct app. The malicious apps also feature heavy code obfuscation and encryption to thwart reverse engineering efforts, hiding the main Java payload inside two encrypted DEX files. Another method for the apps to hide from the user is to exclude themselves from the ‘Recent apps’ list, so even if they run in the background, exposing active processes won’t reveal them.

The 35 malicious Android applications have download counts ranging from 10,000 to 100,000, totaling over two million downloads. The most popular of these, having 100k downloads each, are the following:

  • Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren)
  • Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour)
  • Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder)
  • Engine Wallpapers (gb.helectronsoftforty.comlivefour)
  • Stock Wallpapers (gb.fiftysubstantiated.wallsfour)
  • EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo)
  • Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight)
  • Fast Emoji Keyboard APK (de.eightylamocenko.editioneights)
  • Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix)
  • Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera)
  • Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo)
  • Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme)
  • Animated Sticker Master 1.0 (am.asm.master)
  • Sleep Sounds 1.0 (com.voice.sleep.sounds)
  • Personality Charging Show 1.0 (com.charging.show)
  • Image Warp Camera
  • GPS Location Finder (smart.ggps.lockakt)

Of the above, ‘Walls light – Wallpapers Pack’, ‘Animated Sticker Master’, and ‘GPS Location Finder’ are still available on the Play Store when writing this article.

ANALYST NOTES

Any users that have installed any of these apps in the past should locate and remove them from the device immediately. Because the apps masquerade themselves as Settings, running a mobile AV tool to locate and remove them might be helpful in this case.

 

Source: https://www.bleepingcomputer.com/news/security/android-malware-apps-with-2-million-installs-found-on-google-play/