How Malicious Apps Make Their Way in Play Store Despite Security Walls

• Recently, researchers from Trend Micro reported 49 new adware apps on Google Play, disguised as games and stylized cameras.
• Google announced its collaboration with ESET, Lookout, and Zimperium to find and protect against adware and cyberattacks.

In the past few months, several malicious Android apps were identified and removed successfully from Google’s Play Store. But the cycle of Android malware discovery and removal doesn’t seem to end anytime soon. In September alone, researchers had uncovered a total of 172 infected apps with over 335 million installs.

Recently, researchers from Trend Micro reported 49 new adware apps on Google Play, disguised as games and stylized cameras. Though they aren’t live anymore, new versions are still being uploaded by the respective parties, as per the report.

How malicious apps slip through security nets

There are countless app install requests every day, and Google Play utilizes a range of barriers to reject applications believed to be malicious. Despite that, many times fraudsters find new ways to trick Google into accepting their submissions. Researchers from Bitdefender Labs detailed the techniques used by threat actors to bypass security filters implemented by Google in their recent technical paper. Below are some of those techniques:

• Logic encryption and obfuscated coding: The developers opt-out from including an app's main logic in standard code and rely on a native executable dynamic library. The subsequent code gets decrypted and loaded while disguising the malicious functionality until the app is downloaded and executed on the victim’s device. At times, the code is also heavily obfuscated to bypass security.
• Time checks and ad display duration: According to researchers, malicious apps check that system time is at least 18 hours from a specific hardcoded time value. Only after this check is complete, the apps start hiding their presence from the victim devices. Also, some adware apps exhibit longer time durations between ads display (up to 350 standard minutes) to avoid user suspicion.
• Open-source utility libraries: Open-source libraries, such as Evernote or Dropbox, were used to pull and run jobs in the background instead of an Android API. The malicious apps use these for ‘ShowAds’ or ‘ShowAdsHideIcon’ activity too.
• Clean SDKs (initially): Malicious app developers deploy a clean version of their app in the beginning, only to later replace it with the one bundled with adware. These malicious functionalities are introduced gradually with updates and also by changing the configuration and behavior of the apps.

Besides this, there are other techniques that malicious app developers adopted to circumvent Google’s app vetting system. App developers also submit identical codebase via different developer accounts, and some used remote server configuration or commands to hide malicious code.

Google's upcoming moves for improving Android security

Recently, Google announced its collaboration with ESET, Lookout, and Zimperium to more effectively prevent malicious apps from making their way to the Play Store. Naming the initiative as App Defence Alliance, the US-based tech company says the alliance will help reduce the risk of app-based malware and protect over 2.5 million Android users from new threats.

The two broad responsibilities shared by the stakeholders include, ensuring the safety of the Google Play Store, and quickly finding potentially harmful applications and stopping them from being published.

In April, the search giant had also said that it will take more time when reviewing apps by developers with newly minted accounts.