Google has tightened its policies for application developers in an attempt to prevent malware. The Play Store still includes numerous malicious Android apps targeting users with adware, spyware, and other sorts of malware. Recently, Bitdefender has delved into the details of how these Android apps ditch Google vetting process to appear on the Android Play Store.
How Android Apps Ditch Google App Vetting Process
Researchers from Bitdefender have analyzed various malicious Android apps to see how they ditch Google’s app vetting process. In this connection, they have published a detailed white paper mentioning about their findings.
In summary, they analyzed 25 different apps with cumulative 700,000 downloads on the Play Store. These apps packaged aggressive adware SDKs and employed various tactics to ditch Google’s app review. These include,
Dynamic Loading Of The Encrypted Main Logic
For instance, the ‘Pocket Camera’, which later reappeared as ‘InClip – Video editor app’, prevented detection by excluding the main logic from the app code. It then first loaded a native binary library which further decrypted and loaded the code.
Time Checks And Display Durations
Apps could check the time for being at least 18 hours from a specified time. A ‘true’ check would then let the app display ads and hide. As stated by the researchers,
Check that system time is at least 18 hours after a specific time using a hardcoded numerical value for the time (not a time object), then it starts hiding its presence.
They found at least 10 different apps exhibiting the same behavior. Although they apparently belonged to different developers, the apps shared the same code base.
These apps also exhibited longer time durations between ads display, possibly to evade security checks – the ‘anti-Google Play mechanism’.
The typical display time between ads is currently 15 minutes. However, the first time the application is launched an initial higher wait time of 350 minutes is currently used, probably to avoid user suspicion.
Using Open-Source Utility Library
These malicious apps that Bitdefender analyzed also exhibited other behavior to evade security checks. They used an open-source utility library, such as Evernote or Dropbox, to run background jobs instead of an Android API. The apps also used the same resource to control the ‘ShowAds’ or ‘ShowAdsHideIcon’ activity.
Replacing Clean SDKs With Malicious Ones
Another strategy popular among the app developers to bypass security checks is to initially upload clean app versions. They then replace these with the ones bundled with adware. These apps may or may not exhibit the icon hiding feature as well.
Other Common Strategies To Bypass Play Protect
In addition to the above, other apps also exhibited other types of features to circumvent Google’s app vetting system. These strategies include submitting a similar codebase from various developers, using remote servers to trigger malicious embedded codes, and mimicking clean SDKs.
In some cases, the app developer could simply turn a clean app into a malicious one following a malicious update. Recently, an Android app CamScanner showed similar behavior as it suddenly started delivering malware.
There seems no preventive measure from Google to control the appearance of such apps on the Play Store. Therefore, it solely depends on how users interact with an app.
