{"id":23346,"date":"2023-11-09T07:30:04","date_gmt":"2023-11-09T15:30:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/11\/09\/news-17076\/"},"modified":"2023-11-09T07:30:04","modified_gmt":"2023-11-09T15:30:04","slug":"news-17076","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/11\/09\/news-17076\/","title":{"rendered":"Google Play malware clocks up more than 600 million downloads in 2023 | Kaspersky official blog"},"content":{"rendered":"

Credit to Author: Alanna Titterington| Date: Thu, 09 Nov 2023 14:36:58 +0000<\/strong><\/p>\n

Users tend to think it’s safe to install apps from Google Play. After all, it’s the most official of all official stores for Android, and all apps there are thoroughly vetted by Google moderators, right?<\/p>\n

Bear in mind, however, that Google Play is home to more than three million unique apps<\/a>, most of which get updated regularly, and to vet all of them thoroughly \u2014 that is, really <\/em>thoroughly \u2014 is beyond the resources of even one of the world’s largest corporations.<\/p>\n

Well aware of this, makers of malicious apps have developed a number of techniques to sneak their creations onto Google Play. In this post, we take a look at the most headline-grabbing cases of 2023 regarding malicious apps on the official Android store, with total downloads in excess of \u2014 wait for it \u2014 600 million. Let’s go!…<\/p>\n

50,000 downloads: infected iRecorder app eavesdrops on users<\/h2>\n

Let’s start with the fairly minor, but quite interesting and highly illustrative case of iRecorder. This unremarkable screen-recording app for Android smartphones was uploaded to Google Play in September 2021.<\/p>\n

But then, in August 2022, its developers added some malicious functionality: code from the remote access Trojan AhMyth, which caused the smartphones of all users who had installed the app to record sound from the microphone every 15 minutes and send it to the server of the app creators. By the time researchers discovered the malware<\/a> in May 2023, the iRecorder app had been downloaded more than 50,000 times.<\/p>\n

This example demonstrates one of the ways in which malicious apps creep into Google Play. First, cybercriminals upload an innocuous app to the store that’s guaranteed to sail through all moderation checks. Then, when the app has built an audience and some kind of reputation (which can take months or even years), it’s augmented with malicious functionality in its next update uploaded to Google Play.<\/p>\n

620,000 downloads: Fleckpe subscription Trojan<\/h2>\n

Also in May 2023, our experts found several apps on Google Play<\/a> infected with the Fleckpe subscription Trojan. By that time, they’d already chalked up 620,000 installs. Interestingly, these apps were uploaded by different developers. And this is another common tactic: cybercriminals create numerous developer accounts in the store so that even if some get blocked by the moderators they can just upload a similar app to another account.<\/p>\n

\"Apps<\/a><\/p>\n

Apps on Google Play infected with the Fleckpe subscription Trojan<\/p>\n<\/div>\n

When the infected app was run, the main malicious payload was downloaded to the victim’s smartphone, after which the Trojan connected to the command-and-control server and transferred country and cellular operator information. Based on this information, the server provided instructions on how to proceed. Fleckpe then opened web pages with paid subscriptions in a browser window invisible to the user, and by intercepting confirmation codes from incoming notifications subscribed the user to needless services paid for through the cellular operator account.<\/p>\n

1.5 million downloads: Chinese spyware<\/h2>\n

In July 2023, Google Play was found to be hosting<\/a> two file managers \u2014 one with one million downloads, the other with half a million. Despite the developers’ assurances that the apps don’t collect any data, researchers found that both transmitted a lot of user information to servers in China, including contacts, real-time geolocation, data about the smartphone model and cellular network, photos, audio and video files, and more.<\/p>\n

\"File<\/a><\/p>\n

File managers on Google Play with Chinese spyware inside. Source<\/a><\/p>\n<\/div>\n

To avoid being uninstalled by the user, the infected apps hid their desktop icons \u2014 another common tactic used by mobile malware creators.<\/p>\n

2.5 million downloads: background adware<\/h2>\n

In a recent case of malware detection on Google Play in August 2023, researchers found<\/a> as many as 43 apps \u2014 including, among others, TV\/DMB Player, Music Downloader, News, and Calendar \u2014 that secretly loaded ads when the user’s smartphone screen was off.<\/p>\n

\"Apps<\/a><\/p>\n

Some of the apps with hidden adware. Source<\/a><\/p>\n<\/div>\n

So as to be able to carry out their business in the background, the apps requested the user to add them to the list of power-saving exclusions. Naturally, affected users experienced reduced battery life. These apps had a combined total of 2.5 million downloads, and the target audience was primarily Korean.<\/p>\n

20 million downloads: scammy apps promise rewards<\/h2>\n

A study published in early 2023 revealed several shady apps<\/a> on Google Play with more than 20 million downloads between them. Positioning themselves primarily as health trackers, they promised users cash rewards for walking and other activities, as well as for viewing ads or installing other apps.<\/p>\n

\"Scam<\/a><\/p>\n

Apps on Google Play promising rewards for walking and viewing ads. Source<\/a><\/p>\n<\/div>\n

More precisely, the user was awarded points for these actions, which could then supposedly be converted into real money. The only trouble was that to get a reward, you had to amass such a huge number of points that it was effectively impossible.<\/p>\n

35 million downloads: Minecraft clones with adware inside<\/h2>\n

Google Play also became home to malicious games this year, with the main culprit (and not for the first time<\/a>) being Minecraft \u2014 still one of the most popular titles in the world. In April 2023, 38 Minecraft clones were detected<\/a> in the official Android store, with a total of 35 million downloads. Hidden inside these apps was adware called, appropriately enough, HiddenAds.<\/p>\n

\"Adware-infected<\/a><\/p>\n

Block Box Master Diamond \u2014 the most popular of the Minecraft clones infected by HiddenAds. Source<\/a><\/p>\n<\/div>\n

When the infected apps were launched, they “displayed” hidden ads without the user’s knowledge. That didn’t pose a serious threat per se, but such behavior could have affect device performance and battery life.<\/p>\n

And those infected apps could always be followed up later by a far less harmless monetization scheme. This is another standard tactic of Android malware app creators: they readily switch between different types of malicious activity depending on what’s profitable at any given moment.<\/p>\n

100\u00a0million downloads: data harvesting and click fraud<\/h2>\n

Also in April 2023, another 60 apps<\/a> were found on Google Play infected with adware that researchers dubbed Goldoson. These apps collectively had more than 100 million downloads on Google Play and a further eight million on the popular Korean ONE store<\/a>.<\/p>\n

This malware also “showed” hidden ads by opening web pages within the app in the background. In addition, the malicious apps collected user data \u2014 including information about installed apps, geolocation, addresses of devices connected to the smartphone via Wi-Fi and Bluetooth, and more.<\/p>\n

Goldoson seems to have gotten into all these apps along with an infected library used by many legitimate developers that were simply unaware that it contained malicious functionality. And this isn’t an uncommon occurrence: often malware creators don’t develop and publish apps on Google Play themselves, but instead create infected libraries of this kind that end up in the store along with other developers’ apps.<\/p>\n

451 million downloads: mini-game ads and data harvesting<\/h2>\n

We close with the biggest case of the year: in May 2023, a team of researchers found<\/a> a whopping 101 infected apps on Google Play, with combined downloads of 421 million. Lurking inside each and every one of them was malware called SpinOk.<\/p>\n

Shortly after that, another team of researchers discovered 92 more apps<\/a> on Google Play infected with the same SpinOk, with a slightly more modest number of downloads \u2014 30\u00a0million. In total, almost 200 infected apps were found with 451 million downloads from Google Play. This is another case of apps being infected through a malicious library.<\/p>\n

\"Mini-games<\/a><\/p>\n

Mini-games promising “rewards” that SpinOk-infected apps show to users. Source<\/a><\/p>\n<\/div>\n

On the surface, the infected apps’ task was to display intrusive mini-games promising cash rewards. But that wasn’t all: in the background, the malicious library was busy collecting and sending user data and files to the attackers’ command-and-control server.<\/p>\n

How to guard against malware on Google Play<\/h2>\n

Of course, we haven’t covered all the cases of malicious apps getting onto Google Play in 2023 \u2014 only the most eye-catching. The main takeaway from this post is this: malware on Google Play is far more common than any of us would like to think \u2014 infected apps have a combined download total in excess of half a billion!<\/p>\n

Nevertheless, official stores remain by far the safest sources. Downloading apps elsewhere is far more dangerous, for which reason we strongly advise against it<\/a>. But you must exercise caution in official stores as well:<\/p>\n