A Turkish alternative app store, CepKutusu.com, has been spreading malware under the guise of nearly every offered Android app.
Victims will download an app from the store only to find the app in no way resembles what the user was expecting, but instead is an app disguised as a Flash Player.
Once downloaded, a cookie is set to prevent the malicious system from prevailing which results in the user being served clean links for seven days, after which the user will be redirected to the malware once they attempt to download any more applications from the store, according to a July 25 ESET blog post.
The malicious app was detected as Android/Spy.Banker.IE which is a remote banking trojan capable of intercepting and sending SMS messages, displaying fake activity, and downloading and installing other apps.
Researchers have only spotted a few hundred infections which they said could attributed to users deleting the “Flash Player” after expecting whatever app they were attempting to download and seeing the player in its place. Users are often lured into downloading the apps on social media or on YouTube where they may see advertisements to visit the store or apps that it offers.
“If you got lured into downloading a popular game and ended up with Flash Player instead … I think you'd uninstall it straight away and report the issue, right?,” ESET researcher Lukas Stefanko said in the blog.
He said this is the first time he has seen an entire Android market infected using this technique adding that it's rather common in the Windows ecosystem and in browsers. The technique may become further exploited in future attacks.
“I can imagine a scenario in which the crooks who control the store's back end append a malicious functionality to each of the apps in the store,” Stefanko told SC Media. “Serving those interested in a particular game with a trojanized version of that game – that would remove the biggest red flag and the number of victims might rise significantly.”
There are three possible scenarios to explain who is behind the malicious store which could be the store was built with the intention to spread malware; a legitimate app store turned malicious by an employee with bad intentions; or a legitimate app store becoming a victim of a remote attacker.
Stefanko said he believes the app was misused by the owner and its employee to corrupt victims.
In order to prevent infection, users are recommended to always favor downloading apps from official app stores, use a reliable mobile security solution to protect them from the latest threats, and be cautious when downloading content from the internet.