Evading detection
Apps with blatantly obvious malware embedded will rarely make it past the basic app store review process. However, apps that can disguise and layer malicious functionality are much more successful at making it onto the stores and into broader distribution.
Seven dropper malware apps designed to pull down adware APKs from a GitHub repository were found on the Google Play Store. This essentially opens a backdoor on the device for any new application functionality to be installed. The droppers were cleverly crafted to evade detection — the apps waited before sending the request to GitHub and the embedded GitHub URL was obfuscated to prevent the URL string from being flagged by any human analysis or app store security checks. Because the adware APKs could self-execute without user interaction, and because the video ads required manual dismissal, this adware could seriously impact device battery life and data consumption.
Blocking productivity
Data theft is perceived as the most damaging implication of a malware infection. But this doesn’t mean that other types of risky behavior should be discounted as low-severity threats. A denial of service attack can occur when a user’s device is flooded by persistent ads. For certain industries, like transportation and healthcare, having a device suddenly taken offline by malware can be devastating. Intrusive out-of-app ads interrupt users in the middle of their workflows, brick their devices, and drain their devices’ batteries. In some cases, when the adware is difficult to remove, infected devices need to be replaced altogether.
Two selfie camera apps infected with adware were found on the Google Play Store with a combined 1.5M+ downloads. Once installed, the app icons were visible in the app drawer. But when the apps were opened, they created a shortcut and then removed themselves from the app drawer. Even after the shortcuts were uninstalled, the apps stayed active and could be seen running in the background.
Malicious cryptojacking has a similar impact on user productivity, but it presents a more significant risk than adware. Cryptojacking malware doesn’t typically steal data or lock a user out, but it can render a device unusable by slowing the processor down and draining the battery. We delve deeper into cryptojacking in the next section.
Stealing data
The obvious aim of malware is to steal data. But having this functionality embedded in an app makes it more likely to be detected by app store security checks. However, apps are getting better at stealing data covertly, usually via social engineering techniques like phishing.
A horror gaming app with layers of malicious functionality was found on the Google Play Store with over 50,000 installs. Once installed, the app triggered a persistent, adware-style Google-themed phishing attack on the victim’s device. If the app was successful in capturing the victim’s Google credentials, it would log in and scrape more PII from the victim’s Google account and, silently in the background, send it to a server.
