The Google Play Store is generally fairly safe, but it is possible for application developers to sneak malware into it. TechCrunch is reporting that more than 500,000 Android users have downloaded applications that contain malware without their knowledge.
In total, 13 applications were released on the Google Play Store posing as driving and racing simulators. Once the user launches the apps, they would seem to be just a buggy game that would crash repeatedly, causing the user to launch them over and over again.
However, the apps were actually downloading a payload from another domain that was registered to an app developer in Istanbul. In the process, the apps would install malware to the user’s device and delete the icon from the screen in the process. This makes it difficult for the user to remove the application from their device.
At this time it’s not clear exactly what it does once the malware is installed. None of the malware scanners can agree on exactly what it will do to a user’s device. However, what we do know is that it’s a persistent malware and that will run each time the user restarts his or her phone. It could be adware, which is a script that clicks ads on user’s behalf and allows the hacker to generate revenue from said ads.
Additionally, the malware appears to have full access to the device’s network traffic, which means the malware’s creator could steal private information from the user who has it installed on their device.
TechCrunch reached out to the owner of the domain, but as you might expect, they did not receive a response.
The scariest part is that two of the apps are actually trending on the Play Store, which means they are gaining even more exposure to users.
The malicious software was first discovered by Lukas Stefanko, who is a malware researcher at ESET. In a tweet, he says, “Don’t install these apps from Google Play – it’s malware.”
He goes on, “This app is downloaded in the background and requests user to install it. Once launched, it hide itself & displays ads when device is unlocked.”
App functionality demonstration pic.twitter.com/11HskeD56S
— Lukas Stefanko (@LukasStefanko) November 19, 2018
In the tweet above, Stefanko posted a video showing exactly what happens when a user installs the application.
For its part, Google could stand to do a better job of protecting users of its store. Unlike the Apple App Store, which has a very strict approval process, Google Play lets far more applications through, which is how malware like this are able to get on the store.