Collectively downloaded millions of times, 158 fake Android applications containing mobile malware were recently found smuggled into the Google Play Store, according to a trio of separate research reports that were published within days of each other.
Researchers at McAfee did the heaviest lifting, spotting Grobas, a program that pushes unwanted apps, in 144 trojanized apps. Meanwhile, analysts at ESET identified eight apps carrying a multi-stage downloader dubbed Android/TrojanDropper.Agent.BKY, and experts at Malwarebytes found six apps sabotaged with Android/Trojan.AsiaHitGroup, which contains hidden adware and attempts to download an SMS trojan.
In all three cases, Google was alerted to the troublesome APKs and promptly removed them. However, these latest discoveries are further evidence that Google alone is not able to prevent every malicious actor from sneaking malware into its software store.
The Grabos malware that McAfee identified was found primarily in file explorer and music player applications, some of which were open source in nature. Its malicious activity includes gathering and exfiltrating a device's specs (e.g. Android version, build model and country code), location, and configuration. It also appears to check if certain social and Google apps are installed and reports its findings to the command-and-control server.
McAfee believes such information helps Grabos create custom notifications designed to trick users into downloading and installing additional mobile software.
"Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app. However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to download and install additional apps and open them without their consent," states McAfee mobile malware researcher Carlos Castillo in a McAfee blog post. "Considering that Grabos also reports the presence of specific social and Google apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code."
Grabos constantly analyzes the current state of the phone to determine whether it is safe to run its malicious code or execute only its legitimate functionality. When the user is not actively using the open app, and if there are no indicators that the app is running in test environment or being dynamically analyzed, then Grabos begins reaching out to its C&C server. Grabos further evades analysis by updating its remote settings every 24 hours and likely dodged Google Play's security measures by obfuscating its its injected code, Castillo explains.
To improve its odds of spreading, Grabos is also designed to ask the user to share the app with friends, promising faster download speeds in return.
Grabos was initially found in an application called Aristotle Music audio player 2017, which was reportedly downloaded between one and five million times. McAfee also found the download histories of 34 other malicious Grabos apps, which collectively were downloaded somewhere between 4.2 and 17.4 million times. One app update dates as far back as Apr. 6, 2017, but the rest were last updated between July and October. A full list of Grabos apps is available in McAfee's blog post report.
In its own blog post, ESET reports that it discovered the downloader TrojanDropper.Agent.BKY in six fake apps called MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, and World News PRO, as well as two Russian online slots apps.
According to ESET, the malicious apps behave normally on the surface, but behind the scenes they decrypt and execute a first-stage payload, which in turn activates a secondary payload. This second-stage malware then downloads a tertiary payload from a hardcoded URL, which is disguised to look like a normal program like Adobe Flash Player or an Android update. (ESET has learned that one of the malicious URL links was visited nearly 3,000 times, with most activity coming from the Netherlands.)
Five minutes later, the device owner receives a prompt to download this additional app. Once this happens, the app drops the final payload and obtains the necessary permissions for it to work. TrojanDropper.Agent.BKY is known to drop banking trojans, including MazarBot, and in some cases spyware, reports ESET malware researcher and blog post author Lukas Stefanko.
Malwarebytes found at least six Android apps containing AsiaHitGroup, including an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. All of them was most likely added to Google Play in October and November, writes Nathan Collier, senior malware intelligence analyst, in a company blog post.
Upon analyzing the fake QR scanner app, Malwarebytes found that the malware analyzes a device's location checks with a website that provides geo-IP services in order to determine an infected device's location. Malwarebytes believes that it the phone is based in Asia, the malware will then download Android/Trojan.SMS.AsiaHitGroup, a trojan that intercepts SMS text messages.
AsiaHitGroup also contains another hidden APK, Android/Adware.AsiaHitGroup, which is designed to push adware on the victim.