Malware hiding Android apps return to Google Play after a simple name change

Symantec discovers seven malicious apps sneaked back onto Google Play with different names

Researchers have discovered a set of malicious apps on the Google Play Store that are reappearing after being removed by simply changing their names.

Malware identified as Android.Reputation.1, a Trojan first encountered in 2014, has been found in new iterations of at least seven apps on the Play Store after Google was previously alerted to them.

These new apps, featuring under a different publisher, carry the same code but are listed under an altered name, according to researchers from security company Symantec. The apps offer an array of features including emoji keyboard add-ons, calculators, call recorders, and storage space cleaners.

"The Google Play app store has a reputation as the safest place online to get Android apps," wrote Symantec's Martin Zhang, principle software engineer, and Shaun Aimoto, technical product owner, in a blogpost, adding: "And Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.

"We've encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed."

The apps, once installed, take measures to stay on the device, disappear and wipe their tracks, including waiting for hours before launching malicious activity to avoid arousing suspicion and requesting admin privileges - using the Google Play icon when doing so to feign legitimacy.

The apps also retain the ability to change the launcher icon and their "running apps" icon in the system settings once installed, again using well-known icons such as Google Play or Google Maps to avoid suspicion, as well as pushing content such as ads or scams to the device.

Earlier this month Symantec discovered 38 malicious apps carrying the Android.Reputation.1 Trojan on the Play Store disguised as game and education apps - hiding their existence from users by removing their icons from the home screen. 

The company previously discovered a set of eight apps hiding a "highly prevalent" type of malware, dubbed Android.Sockbot, in late 2017, which operated by adding compromised devices into a botnet to potentially perform DDoS attacks. The apps boasted an install base of between 600,000 and 2.6 million devices.

"Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behaviour," Symantec's post continued.

The researchers provided the standard recommendations for users to avoid falling foul to sophisticated malware such as this, including keeping software up-to-date, avoiding downloading apps from unfamiliar sites, only installing apps from trusted publishers, reviewing permission requests, and installing a mobile security app.

IT Pro contacted Symantec and Google but neither were able to comment at the time of writing.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

What is a Trojan?
Security

What is a Trojan?

4 Jan 2021
Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021
Python-based malware steals Outlook files and browser credentials
malware

Python-based malware steals Outlook files and browser credentials

15 Dec 2020
Subway UK customers targeted by Trickbot hackers
hacking

Subway UK customers targeted by Trickbot hackers

14 Dec 2020

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021