Twenty-five apps found in late August on the Play Store by researchers were observed, and no malicious behavior was detectable when initially installed. However, malware configuration files were downloaded by the apps after time passed. Malicious components enabled modules that hid the app’s icons and displayed ads at random intervals even when the app was closed. This helped the attackers behind the scenes to make a profit using infected devices. Play Protect was able to be avoided by the attackers because the faulty fashion and photo utility app’s malicious functions were not hardcoded in the APKs when submitted for review. “Instead, the switch is controlled remotely via the downloaded configuration file, allowing the malware developer to evade Google Play’s rigorous security testing. These 25 malicious hidden apps share a similar code structure and app content, leading us to believe that the developers may be part of the same organizational group or, at the very least, are using the same source code base,” says the researchers that discovered the apps. All of the 25 apps that were discovered have since been removed by Google after being reported on September 2nd.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In