Malicious Android Apps Reach Play Store As They Evade Google Play Protect

Although, the existence of malicious applications on the Android Play Store isn’t anything new. Researchers have now discovered how these apps succeed in employing various measures to evade Play Protect.

Android Apps Evade Google Play Protect

Researchers from Symantec have shared details about their recent findings in a blog post. As revealed, they have unveiled numerous malicious Android apps that evade Google’s Play Protect.

According to their study, the researchers found at least 25 different Android apps with malicious behaviors from 22 developers. Most of them either posed as fashion apps or photo utility apps. However, these apps shared similar code and app content. Thus, the researchers believe they belonged to the same developer or group of developers.

These apps, after installation, kept their icons visible for some time to let the user interact. However, in the background, the apps used to download a remote configuration file which triggered malicious behavior, such as icon-hiding and ads-related settings. The malware would then extract the settings and apply them on the infected device.

Specifically, the apps displayed ads after hiding the icons, thus making it difficult for the victim to remove the apps.

Possible Mitigations

Unlike most other apps, the batch of apps spotted in this study did not contain any malicious functionalities in their APK. Rather they borrowed these features (like icon hiding and ads display) from a remote configuration file that they downloaded later. Thus, the apps could easily bypass Google’s security feature Play Protect.

Considering this behavior, it is highly possible that such apps will keep on emerging within the Google Play Store in future too. Therefore, users must remain vigilant enough to mitigate possible attacks. Like always, one should never download an app from an untrusted source.

Related posts

Google Cloud To Implement MFA as a Mandatory Feature

Opera Browser Vulnerability Could Allow Exploits Via Browser Extensions

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder