Google Play fails to catch trojan-injected apps (again)
Getting your Android apps through Google Play is considered safe, but there are times when even the search giant's store is dangerous. Case in point, Kaspersky uncovered two more trojan-infected apps that weren't removed until they had over 60,000 installs.
Kaspersky security researcher Roman Unuchek reports that, since September 2016, he has discovered "several dozen new malicious apps" on Google Play, all of which "were rooting malware that used exploits to gain root rights on the infected device." Obviously, Google failed to catch any of those in time either.
The two apps in question this time around are called Magic Browser and Noise Detector. The name alone should make savvy Android users skeptical of their functionality, but it looks like many folks fell into the trap set by their creators.
Magic Browser had over 50,000 installs. Its description isn't very professional and its design is very similar to that of Google Chrome. The name of the developer? Mishwing. If you do a Google search, you'll find it's the top result, with a link to its Google Play catalogue. The Google Play link now displays an URL not found error.
Noise Detector had over 10,000 installs. It comes from developer FredRee Junky. A Google search for the exact name also takes you straight to its Google Play page, which, again, throws the same error now. This one has less SEO power than Mishwing, as if you do the same Google search sans the obligatory quotes to narrow down the results you will find totally unrelated results on the main page.
The trojan in question that was found in both apps is known as Trojan-SMS.AndroidOS.Ztorg.a. According to Unucheck, its purpose is to send SMS messages at premium rates and delete incoming SMS messages. After the apps are installed, it waits for 10 minutes before connecting to a server to figure out which numbers to send those pricey SMS messages to.
Magic Browser, for instance, has 11 components in its code that attempt to send SMS messages. This technique makes it possible to cater to the multiple versions of Android and devices that are in use.
The approach used for Magic Browser differs to that of Noise Detector. Magic Browser is believed to be more of a test run, to see if the creators can get away with uploading the malware, while with Noise Detector the creators intended to build up a solid user base and add all the necessary malware components later down the road.
The latest version of Noise Detector had the malware code in it, but no way to execute it. Obviously, the creators could add it at a later stage, but Unucheck says that Google intervened before they could do that.
This problem somehow crops up again and again, which begs the question: Is Google unable or unwilling to protect its users from malware? No matter how you slice it, Google's reputation suffers.
Image credit: N Azlin Sha / Shutterstock