At Least 145 Google Play Apps Could Install Keyloggers to Steal Passwords

Sometimes a malicious program could hide in plain sight for a very long time before it gets taken care of. Having that in mind, we would like to talk about how Google had to remove 145 apps from Google Play because they were found to contain malware. The problem behind such cybercrime is quite complicated, and Google Play malware might be just one of the many ways for cybercriminals to reach their targets. It is very unfortunate that no one is safe these days, but this is the world we live in, and we have to be ready to take it on.

What Happened to Google Play?

The story goes back as far as October 2017 and November 2017, when a list of inconspicuous apps was available on Play Store. And by inconspicuous we mean such apps as Yoga Medication, Japanese Garden, Fashion Muslin, Unique T-shirt, and many others. Judging from the names of these applications, you would never guess that they somehow are malicious, right? What's more, even if you were to add these apps to your Android device, nothing would happen. It happens because the malware inside those apps does not affect Android devices. The malicious components start working only when the app in question is opened on a Windows PC. Sneaky, isn't?

How Does Google Play Malware Work?

According to the researchers at Pato Alto Networks Unit 42, the 145 Google Play apps were infected with malicious Microsoft Windows executable files. Ever since the team has reported their findings to the Google Security Team, the corrupted apps were removed from the Google Play store. Yet, why would anyone include a malicious Microsoft Windows file into an Android app? What are the chances that a user would open such an app on a Windows device?

Well, apparently, the chances are pretty high if such method of malware distribution exists. Google Play app store malware is an example of the software supply chain threat. It means that if a computer used by a software developer is compromised and the developer is not aware of that, the software that they develop on such a computer may eventually affect multiple third parties. Perhaps, one of the best examples of such malware infection is the notorious Not Petya ransomware. This infection exploited a genuine software program used by multiple companies in Ukraine to reach their targets.

Although the Google Play malware incident does not live up to the ransomware scale, the overall principle is similar. Judging from the Android PacKage (APK) files that were infected with malware, researchers say that the developers must have created software on compromised Windows computers. As a result, the malware that was installed on the affected system was transferred into the Android app as a virus, too. And while the app itself is a carrier that cannot inflict any kind of damage on an Android device, if anyone downloads and opens such application on a Windows computer, they might be up for trouble.

How Does Google Play App Store Malware Function on Windows?

When these Google Play malware files are run in the Windows environment, they might perform a number of malicious tasks, depending on what the original malware developers intended them to do. For one, we do know that the main purpose of the malicious files is key-logging. It means that Google Play App Store malware could be used to steal passwords and other sensitive information from unsuspecting users. It wouldn't be that surprising, considering the levels of data theft are at an all-time high nowadays. With a keylogger on their computers, victims might lose a lot of personal data, and it can happen quite fast.

When the Google Play malware keylogger enters the Windows system, it creates executable and hidden files in the Windows system folders and makes sure that the files are run automatically whenever the Windows system is turned on. The malicious file may also be inactive for a long time, but just like any other keylogger out there, it might attempt to connect to a remote server at via port 8829.

What Are the Implications of Google Play Malware?

A number of news sites that reported this issue have emphasized that the most common attack of such malware is a keylogger file. This would mean that with the malware unpacked, the malicious file would record victim's keystroke logs, and it would lead to password, credit card number, and other personal information leaks. It clearly sounds very intimidating, but how relevant is this for an average Android user?

Well, to tell you the truth, if you just use a certain app on your Android device, this Google Play malware issue shouldn't bother you at all. Since the malicious file does not work on Android devices, you would actually have to make an effort for it to infect your Windows machine. That would require you to download and open the APK file in the Windows environment. And we can only imagine that it's not something a regular user would do for fun.

Therefore, this issue is more important for software developers and platforms that distribute the said software. It is hard to tell whether the developers who created apps on compromised systems knew about the malware on their computers. Researchers suggested that the developers might have used different environments to create their apps as there were instances when other apps from the same developer were clean (as opposed to the compromised ones).

In other words, it is still too early for regular users to worry about such incidents. Rather, it is homework for the developers and security specialists. They need to work to ensure that regular users download only safe applications from official sources. Hence, it is important to come up with a system that would allow faster and better screening of new applications. While it might be hard to achieve for the time being due to a sheer number of new apps coming out every single day, the fact that researchers do find hidden malware in completely innocent-looking apps does give us hope.

September 6, 2018

Leave a Reply