Official forum for Utopia Community

You are not logged in.

#1 2023-08-03 23:32:17

Registered: 2023-01-04
Posts: 1,952

Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play

Versioning is a tactic used by threat actors to target Android users and avoid being detected as malware by the Google Play Store.

The Google Cybersecurity Action Team (GCAT) stated in its August 2023 Threat Horizons Report, which was shared with The Hacker News, that "campaigns using versioning commonly target users' credentials, data, and finances.".

Although versioning is not a recent occurrence, it can be subtle and challenging to identify. By using this technique, an app developer publishes an initial version of the app on the Play Store, which later gets updated with malware and passes Google's pre-publication checks.

This is done by using a technique known as dynamic code loading (DCL) to push an update from an attacker-controlled server that serves malicious code on the end user device, essentially converting the app into a backdoor.

An application called "iRecorder - Screen Recorder" was found by ESET earlier this May. It was safe to use for almost a year after it was first added to the Play Store before malicious modifications were surreptitiously added to spy on its users.

SharkBot, which has displayed up on the Play Store several times under the guise of security and utility apps, is another instance of malware that uses the DCL technique.

Utilizing the Automated Transfer Service (ATS) protocol, SharkBot is a financial trojan that starts unapproved money transfers from infected devices.

Shop Google Play.

In an attempt to draw less attention, dropper applications that show up on the storefront have limited functionality and, once installed by the victims, download the full version of the malware.

"Defense-in-depth principles, such as restricting application installation sources to reliable sources like Google Play or using a mobile device management (MDM) platform to manage corporate devices, are necessary in an enterprise setting, as versioning demonstrates," the enterprise said.

The findings coincide with ThreatFabric's disclosure, as KrebsOnSecurity reports, that malware distributors have been using an Android bug to disguise malicious apps as benign by "corrupting components of an app," leaving the app intact.

"Perpetrators may simultaneously have multiple apps published in the store under distinct developer accounts; only one of these apps is malicious; the other serves as a backup to be utilized following removal," the June report from the Dutch cybersecurity firm stated.

"This strategy reduces the amount of time required for actors to launch another dropper and carry on the distribution campaign, enabling them to sustain extremely lengthy campaigns. ".

It is advised that Android users download apps only from reliable sources and turn on Google Play Protect to get alerts whenever a potentially harmful app (PHA) is discovered on the device in order to reduce any potential risks.


Board footer

Powered by FluxBB