Malicious apps still getting past Google controls

Malicious mobile applications continue to pop up on the Google Play store with alarming regularity in spite of Google’s recently formed App Defence Alliance, according to researchers at Check Point, who have identified multiple apps being used to infect Android devices with various strains of malware, including a newly identified clicker known as Haken.

The App Defence Alliance was established by Google, alongside partner Eset, Lookout and Zimperium, in November 2019.

Setting out his stall, Dave Kleidermacher, vice-president of Android security and privacy at Google, said at the time: “Our number one goal as partners is to ensure the safety of the Google Play Store, quickly finding potentially harmful applications and stopping them from being published.

“As part of this alliance, we are integrating our Google Play Protect detection systems with each partner’s scanning engines. This will generate new app risk intelligence as apps are being queued to publish. Partners will analyse that dataset and act as another, vital set of eyes prior to an app going live on the Play Store.”

However, as Check Point found, the partnership is not spotting everything. Haken, which was found lurking in eight apps, has the ability to take control of a device and click on anything that may appear on its screen. This is particularly dangerous because it gives it the ability to access any data, including data visible on screen.

According to Check Point, Haken uses native code and injection to Facebook and AdMob libraries while communicating with a remote server to implement the clicker functionality.

This has a twofold impact – first, it can sign the user up to premium subscription services without their knowledge or consent; second, it can extract sensitive data from the victim device.

Haken has already been downloaded more than 50,000 times, and the group behind it appear to be disguising it as camera utilities and children’s games. The eight apps identified were Kids Coloring, Compass, grcode, Fruits coloring book, Soccer coloring book, Fruit jump tower, Ball number shooter, and Inongdan. Google has now removed all of them from the store.

Haken was spotted while Check Point’s team was hunting another clicker called ai.type or BearCloud, which has recently increased in volume of infections and was found to be contained in 47 apps with a total of 78 million downloads that were available on Google Play. Unlike Haken, BearCloud utilises a web-view creation and loading of malicious JavaScript code to perform its function.

Check Point’s team also unearthed more apps acting as vectors for the Joker malware family, a spyware and dialler that subscribes its victims to premium services, which was first identified five months ago, and keeps sneaking back into the Google Play store despite being repeatedly thrown out.

Apps serving to infect victims with Joker included – prior to their removal – Homely Wallpaper, Landscape Camera and Flowery Photo Editor.

“The discovery of the malicious apps highlights that despite ongoing efforts to secure the Google Play Store against them, rogue apps can still be uploaded,” said Check Point in its disclosure.

“There are nearly three million apps available from the store, with hundreds of new apps uploaded daily, which makes it difficult to check every single app is safe.

“Some app developers have devised ingenious methods to conceal their apps’ true intent from Google’s scrutiny. Coupled with a fragmented Android ecosystem, in which a large number of device manufacturers infrequently offer critical OS updates, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”

As ever, as a first line of defence users should be deploying on-board security software on their devices to ward off such threats and protect their personal or business data.

If the worst has happened and you are one of those who has downloaded one of the malicious apps, best practice is to uninstall the application immediately, and check mobile and credit card bills with a fine toothcomb. You should then consider what steps to take to protect yourself in future, such as being more judicious about what you download.