Real-Time Behavior-Based Detection on Android Reveals Dozens of Malicious Apps on Google Play Store

Note: all applications mentioned in this research have been taken down and are no longer accessible.

For the past few years, cyber-criminals have strengthened their efforts to have malicious applications listed on Google Play Store – the world's most trafficked Android app source. While the platform's security checks have improved through the years, our research still uncovers malicious apps that use a vast array of tricks to bypass these checks.

This is the case of a new malware campaign on the Google Play Store where numerous apps use false pretexts to lure victims into installing them, only to change their name and aggressively serve ads afterward.

Attack at a glance

• Bitdefender has identified 35 applications that have snuck into the Play Store, totaling over two million downloads if we consider the available public data.
• These apps hide their presence on the device by renaming themselves and changing their icon, then start serving aggressive ads
• To confuse the user and conceal their presence, the applications are changing their name and icon after installation

One of the ways cyber-criminals monetize their presence on Google Play is to serve ads to their victims. While this may sound diminutive, these ads served to victims are disrupting the usage experience and can link directly to malware.

Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims. Most of the time, users can choose to delete the application if they don't like it. But these new malicious apps trick victims into installing them, only to change their name and icons and even take some extra steps to conceal their presence on the device. Users can still delete them at will, but the developers make it more difficult to find them on the affected devices.

While all of the detected apps are clearly malicious, the developers were able to upload them to the Google Play Store, offer them to users and even push updates that made the apps better at hiding on devices. Bitdefender identified the malicious apps using a new real-time behavioral technology designed to detect precisely these dangerous practices, among many others. This new technology is already producing results as new detections are instantly shared with all Bitdefender Mobile Security users.

We looked at the 'GPS Location Maps' app as the first example. With over 100k downloads, it's one of the more popular, but we noticed it doesn't have any reviews. Immediately after installation, the app changes its label from 'GPS Location Maps' to 'Settings' and then shows additional websites in WebViews and an advertisement.

WebViews is part of the Android operating system that allows apps to load content like web pages, ads, and more.

The 'GPS Locations Maps' app makes it difficult for users to find and uninstall it by changing its icon. Also, on some devices, a few malicious apps even request permission to bypass the battery optimization feature and start foreground services notifications to stay alive and not get killed by the system.

Many of the detected apps also request permission to display over other apps, which means that they are likely also simulating user clicks to rake on profits.

Code Obfuscation Used to Remain Hidden

The developers who created the 'GPS Location Maps' added heavy code obfuscation and encryption in order to make reverse engineering difficult. The main Java malicious payload hides inside two encrypted DEX files, and the decryption occurs inside obfuscated native code. Even after decryption, the resulting Java code strings remain obfuscated.

Malicious behavior like changing the icon also happens in a different native 'so' file than the one used for decryption and remains obfuscated.

Encrypted DEX files inside the assets of the application:

Obfuscated strings (base64 into XOR):

Native functions declared:

Hiding the Icon To Stay Covert

One way to stay hidden from a user bent on uninstalling the app is to change the icon into something innocuous, like the 'Settings' app. It does that by declaring an alias launcher. After installing another icon and label, it changes the main launcher, replacing it with the alias one with the label and icon for 'Settings.'

The alias launcher corresponds to another activity, hidden inside the `com.android.setting` package, probably to look more legit. When launched, this activity renders itself with '0' size in a corner, then launches the setting page for the phone, tricking the user into thinking that the real settings button was pressed.

Alias:

Fake settings activity:

Some apps also contain different icon launchers for the settings app, depending on the device:

Hiding from recent apps

Another interesting technique developers use to obscure apps is to ensure they don't show in the list of the most recently used apps on Android. These apps also have the flag android:excludeFromRecents="true" set in their manifest, meaning that when a user looks at recent apps opened on the device, the adware app is not present among them.

'GPS Location Maps' is just one of the many that we have identified to manifest similar malicious behavior. We noticed that the initial versions of some of the detected apps didn't contain the "Settings" icons. The developers added the icons in subsequent app updates on the Play store.

When we look closer at the developers of the packed and obfuscated apps, a pattern emerges, showing a similar naming style. All the malicious app developers have just one application uploaded to the store. Also, the emails and websites related to the developers look similar to each other, which likely leads us to believe that all of these apps are the work of a single group or even developer.

The malicious behavior doesn't trigger on all devices, as there are some checks embedded in the apps likely related to the device location, language or other factors.

Other Apps on Google Play With Similar Behavior

Conclusions

While official stores are usually very good at weeding malicious or dangerous applications out, some history shows that a small number of bad apps manage to get through and make victims until they get reported. Just because we download an app from the official store doesn't mean it will be safe. We continue to build new detection capabilities in Bitdefender Mobile Security to help users identify bad applications and have them removed from the system.

You can also follow a few simple rules that can keep you safer:

• Don't install apps that you don't really need
• Remember to delete apps you no longer user
• Be wary of apps with a large number of downloads and few or no reviews
• Be wary of apps that request special permissions, like Drawing over apps or access to Accessibility
• Be wary of apps that request access to permissions that have nothing to do with the advertised functionality
• Always run a security solution in the background that can detect malicious behavior. Just because an app is downloaded from an official store doesn't mean it's safe.

Indicators of Compromise

APK hashes