{"id":16636,"date":"2019-09-11T09:39:27","date_gmt":"2019-09-11T13:39:27","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/google-play-malware\/16636\/"},"modified":"2020-04-02T16:07:50","modified_gmt":"2020-04-02T10:37:50","slug":"google-play-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/google-play-malware\/16636\/","title":{"rendered":"All apps on Google Play are safe: Fact or fiction?"},"content":{"rendered":"

We always recommend downloading Android apps from official stores and nowhere else. But that doesn\u2019t mean there are no viruses in the Google Play. It is true, however, that you\u2019ll find fewer of them in the official store than on third-party sites, and they get removed on a regular basis.<\/p>\n

How Google monitors the security of Android apps<\/h2>\n

It is no mean feat for malware to get into Google Play. Before they publish an app, moderators check it for compliance with an extensive list of requirements<\/a>. If they find a violation, they ban the program from the store.<\/p>\n

However, Google Play receives such a vast number of new apps and updates of existing ones that it is simply not possible for the moderators to keep track of everything. So from time to time, malicious apps do slip in. Here are some of the most striking incidents.<\/p>\n

Ad you don\u2019t want to see<\/h3>\n

Recently, our researchers detected malicious code in the CamScanner<\/a> app for digitizing documents. Not only was the app available on Google Play, but according to the store it was installed by more than 100 million users.<\/p>\n

What went wrong? Well, up until a certain point, CamScanner was a normal app that simply carried out its stated functions. Its developers derived income from advertising and paid features\u00a0\u2014 nothing unusual so far. But that changed when a malicious advertising module was added to the app.<\/p>\n

Malware in the shape of the Necro.n Trojan dropper<\/a> snuck into one of the advertising modules and installed another Trojan tasked with downloading other muck onto the device\u00a0\u2014 for example, advertising apps<\/a> and programs taking out paid subscriptions to third-party services behind the user\u2019s back.<\/p>\n

Our experts reported the find to Google, whose administrators removed the app from the store. CamScanner\u2019s developers also promptly removed the malicious modules from the app to get it back into the store. However, the infected version had been available for download for quite some time.<\/p>\n\n

Thieving player<\/h3>\n

CamScanner is by no means the only example of an app that saw malicious features appearing after it was already available in the Google Play store. The creators of a Trojan disguised as a player for listening to music in VKontakte (VK) managed to bypass the store\u2019s moderators in the same manner for several years.<\/p>\n

A clean version was initially uploaded to Google Play, followed by a couple of harmless updates. But a few updates in, the app began stealing logins and passwords from VK accounts. Moreover, the victims most likely knew nothing about it, and their accounts were surreptitiously used to promote VK groups.<\/p>\n

When the updated version of the player was unmasked and deleted from the store, its creators immediately uploaded a new one (actually, several). In 2015, no fewer than seven different builds of the malicious program were removed from Google Play<\/a>. And a few more in 2016. Over a two-month period in 2017, our analysts counted 85 such apps<\/a> on Google Play, one of which had been downloaded more than a million times. In addition, fake versions of Telegram by the same authors appeared in the store\u00a0\u2014 these apps did not steal passwords, but they added the victim to groups and chats of interest to the cybercriminals.<\/p>\n

Malicious army on Google Play<\/h3>\n

Alas, 85 copies of one malicious app is not where the story ends. In 2016, experts found no less than 400 games and other programs<\/a> on Google Play furnished with the DressCode Trojan.<\/p>\n

Once on a victim\u2019s device, the malware establishes a connection with the command-and-control server and then \u201cfalls asleep.\u201d Later, cybercriminals can use such infected sleeper gadgets for DDoS attacks, to inflate ad-banner clicks, or to infiltrate the local networks to which the gadgets are connected, such as a home network or a company\u2019s infrastructure.<\/p>\n

In fairness, Google Play moderators cannot really be blamed for the oversight; DressCode is quite difficult to spot\u00a0\u2014 its code is so small that it gets lost in that of the media app. Besides, significantly more infected programs were detected on third-party sites than on Google Play\u00a0\u2014 in total, the researchers found approximately 3,000 games, skins, and smartphone cleaning apps containing the DressCode Trojan. Yet 400 is still an awful lot.<\/p>\n

How not to pick up malware on Google Play<\/h2>\n

As you can see, the mere fact that an app made it into the official Android store does not mean that it is safe\u00a0\u2014 sometimes malware does get in. To avoid an infection, be wary of all programs, including those on Google Play, and observe several rules of digital hygiene.<\/p>\n