How cybercriminals evade mobile app store security measures

Oct. 11, 2023
By using tactics like "versioning" and masquerading as benign "beta" versions, malicious apps dodge stringent security checks

Are you confident that the apps on your smartphone are safe? Think again. Cybercriminals exploit loopholes in mobile app store security, unleashing a new breed of malicious apps onto unsuspecting users.

Utilizing cunning tactics like "versioning" and masquerading as benign "beta" versions, these malicious apps dodge stringent security checks only to reveal their true, harmful nature once they are on your device. From SharkBot, the malware designed to drain your bank account, to stealthy techniques that bypass Google's APK Analyzer, the criminals always try to be one step ahead.

These are not isolated incidents; they are part of a growing trend in mobile threats that requires immediate attention. Trust me, you do not want to be the next victim of unauthorized money transfers, data theft, or worse. Buckle up and dive deep into the disturbing world of rogue apps that might be lurking on your device right now.

The Hidden Risks of Beta Apps

In August, the FBI alerted the public about a new trick cybercriminals are using. Crooks are uploading what look like "beta" versions of crypto investment apps to well-known mobile app stores. These apps are actually designed to steal cryptocurrency. Because they are labeled as "beta" or early versions for enthusiasts to try out, they do not undergo thorough regular app store code reviews, just a quick safety check. This lax screening often misses the hidden malicious code that activates after you install the app.

These fake apps can steal your personal info, gain access to your financial accounts, or even take over your device. They often look really convincing, mimicking popular investment apps and asking for your account details or investment deposits.

Sophos security researchers first sounded the alarm about this issue in March 2022, warning that scammers were exploiting Apple's TestFlight system to distribute these "beta" apps for testing. A newer report digs into a specific campaign called CryptoRom, where the apps pretend to be related to crypto investments. Initially, these apps look legit and get approved for TestFlight. But once they are up, the criminals change the app's URL to direct it to a malicious server, activating the app's harmful functions.

The Rise of Versioning in Malicious Apps

Google's security team admitted that cybercriminals are using a sneaky method called Versioning to bypass Google Play Store's security measures. This approach allows malicious actors to either sneak in harmful code through updates to already-installed apps or use what is known as dynamic code loading (DCL) to introduce the malicious code directly from their own servers.

Versioning is when a developer first puts an app on the Play Store that looks legit and passes our security checks. But later, the app gets an update from a third-party server, and that update changes the code on the user's device, triggering malicious behavior.

According to Google's guidelines, apps on the Play Store are strictly not allowed to update or alter themselves through any method other than Google Play's official update mechanism. They are also prohibited from downloading executable code from external sources. Google insists that every app and update submitted to the Play Store undergoes stringent screening for potentially harmful behavior. However, some of these security measures are sidestepped through dynamic code loading.

Google spotlighted a specific malware called SharkBot, first identified by Cleafy's Threat Intelligence Team in October 2021. This banking malware conducts unauthorized money transfers after compromising an Android device. To avoid detection, those behind SharkBot initially release versions with limited functions on Google Play, thus hiding the app's true malicious nature. But once someone downloads this disguised app, it later downloads the full, harmful version of the malware.

The Trojan Horse Apps Flying Under the Radar

In another case, security researchers from Symantec have discovered numerous Android apps that initially seemed harmless but later revealed their malicious nature. These apps had been downloaded over 2.1 million times from the Play Store before they were identified and removed.

These apps, often disguised as fashion or photo utilities, were submitted to the Google Play Store without the harmful functions built into their original files, allowing them to pass Google's security checks. Once installed, however, they would download malicious settings, turning the app "evil," so to speak.

To evade detection, the developers used various techniques like initialization vectors and encryption keys to encode some of the malware's source code, making it challenging for any security software to identify the apps as harmful.

Once activated, these apps would remove their icons and start displaying full-screen ads at random intervals on the infected devices. The ads did not have an associated app title, so users could not easily identify which app was causing this intrusive behavior.

Rogue developers also use a creative tactic to spread malicious apps. They often release two versions of the same app - one benign and one harmful. The benign app is promoted to rank in the Play Store's Top Trending Apps list in the hopes that users would accidentally download the malicious version as well.

Developer Tool Issues

Cybersecurity journalist Brian Krebs has pointed out a different way that malicious apps avoid detection by common security scanning tools. Hackers identified an Android bug that lets a malicious app appear valid to the Android system, bypassing many security scans designed to catch such software. They used a malicious element to modify the app installation file (.apk) in a way that it still appears valid to the Android system. It can perform all the malicious activities, while embedded security mechanisms cannot properly analyze the code.

Google admitted that some of its developer tools, including APK Analyzer, are currently unable to detect such malicious apps. The company is looking into fixing these gaps in its developer tools and will update its guidelines accordingly.

ThreatFabric pointed out one malware family, known as Anatsa, that is actively using this technique. Anatsa is a sophisticated Android banking trojan usually masked as an innocuous file-management app.

Google Tightens Play Store Security Amid Criticism for Lax Oversight

Recent criticism has targeted Google for not proactively monitoring its Play Store for malicious apps. A report by Ars Technica highlighted that Google tends to be silent when malware is found on its platform, apart from thanking external researchers for the discovery.

At the same time, to strengthen security against malicious apps, Google is implementing new verification steps for developers on the Google Play Store. Starting August 31, 2023, new developer accounts must provide a valid D-U-N-S number - a globally recognized identifier for businesses - to register. This requirement aims to make it more challenging for rogue developers to resubmit harmful apps under new accounts. In addition, the Play Store will improve transparency by enhancing the "App Support" section of app listings, which will now include more comprehensive details about the developer, such as their company name, office address, website, and phone number. Google plans to regularly verify this information and will suspend accounts found to have inconsistencies.

Protection tips for users

To keep your device secure and your information private, follow these essential tips to protect yourself against malicious apps:

  • Make sure to check out an app's reviews on the app store before you download it. Stay away from apps that either have very few downloads or numerous downloads but hardly any reviews.
  • Be careful when installing a new app and look closely at the permissions it asks for. If an app wants access to things that do not seem relevant to what the app actually does, think twice before proceeding. Be particularly cautious with apps that ask for access to sensitive information like your contacts, messages, or location.
  • Consider installing a highly rated mobile security app that offers real-time scanning and other protective features. Additionally, using a reputable password manager can secure your login credentials, making it more difficult for hackers to gain unauthorized access to your accounts.

·         If you notice your device's battery draining faster than usual, your data usage going up, random pop-up ads appearing, your device running slowly, or it gets hot quickly, you might have downloaded malicious software.

About the author: Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.
About the Author

Alex Vakulov | cybersecurity researcher

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.