Malware hiding Android apps return to Google Play after a simple name change

Symantec discovers seven malicious apps sneaked back onto Google Play with different names

A red Android mascot

Researchers have discovered a set of malicious apps on the Google Play Store that are reappearing after being removed by simply changing their names.

Malware identified as Android.Reputation.1, a Trojan first encountered in 2014, has been found in new iterations of at least seven apps on the Play Store after Google was previously alerted to them.

These new apps, featuring under a different publisher, carry the same code but are listed under an altered name, according to researchers from security company Symantec. The apps offer an array of features including emoji keyboard add-ons, calculators, call recorders, and storage space cleaners.

"The Google Play app store has a reputation as the safest place online to get Android apps," wrote Symantec's Martin Zhang, principle software engineer, and Shaun Aimoto, technical product owner, in a blogpost, adding: "And Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.

"We've encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed."

The apps, once installed, take measures to stay on the device, disappear and wipe their tracks, including waiting for hours before launching malicious activity to avoid arousing suspicion and requesting admin privileges - using the Google Play icon when doing so to feign legitimacy.

The apps also retain the ability to change the launcher icon and their "running apps" icon in the system settings once installed, again using well-known icons such as Google Play or Google Maps to avoid suspicion, as well as pushing content such as ads or scams to the device.

Earlier this month Symantec discovered 38 malicious apps carrying the Android.Reputation.1 Trojan on the Play Store disguised as game and education apps - hiding their existence from users by removing their icons from the home screen. 

The company previously discovered a set of eight apps hiding a "highly prevalent" type of malware, dubbed Android.Sockbot, in late 2017, which operated by adding compromised devices into a botnet to potentially perform DDoS attacks. The apps boasted an install base of between 600,000 and 2.6 million devices.

"Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behaviour," Symantec's post continued.

The researchers provided the standard recommendations for users to avoid falling foul to sophisticated malware such as this, including keeping software up-to-date, avoiding downloading apps from unfamiliar sites, only installing apps from trusted publishers, reviewing permission requests, and installing a mobile security app.

IT Pro contacted Symantec and Google but neither were able to comment at the time of writing.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
What is a Trojan?
Security

What is a Trojan?

27 Aug 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021