A malicious third-party Android app is capable of a number of attacks, such as click fraud, premium rate SMS fraud and downloading additional malicious APKs, a security firm warns.
Zscaler wrote that the app disguises itself as the free version of a legitimate pay-to-use app, BatteryBot Pro, which sells in the official Google Play store for $2.99. The app was even briefly slipped into the Play store before Google removed it, the firm revealed, noting that it greatly differs from the legitimate app in that it asks for minimal permissions, including access to photos and to disable a screen lock. The malicious app also requests other permissions and specifically asks to run with administrative access.
Although users have to approve this access, Michael Sutton, CISO at Zscaler, told SCMagazine.com that this extra security often isn't enough to deter users from downloading malicious apps.
“When I install an app, I need all these privileges, whether they're legitimate or not,” Sutton said. “I think that's created this ‘shut it off or tune it out' [culture]. There's a list of privileges and users don't bother looking at it.”
The inundation of permission requests contributes to the survival of malicious apps, similar to this one.
In this case, once the app has administrative control, it begins performing malicious activity in the background, starting with a click fraud campaign in which pop-up ads will appear on the device.
The malware then starts collecting information from the victim's device, along with the installation of various APKs without the user's consent. Eventually, once a user is in the app and attempts to use it, the malware begins sending premium rate SMS messages.
This, Sutton says, causes direct financial loss to the victim.
“This is the kitchen sink of malicious behavior,” Sutton said. “Malicious apps usually target one thing but this has a piece of everything in it.”
To make matters worse, it is extremely difficult to uninstall the app once it has administrator privileges. If the impacted device isn't rooted, a user can revoke the privileges and continue to uninstall the app normally.
However, if the device is rooted, the malware will appear uninstalled but will continue running in the background with a different app, which it secretly installs. If it reaches this point, Sutton said it would possibly require flashing the device to uninstall the app.
Overall, Sutton advises sticking to the official Google Play store and away from third-party vendors. Also be wary of granting permissions so easily, especially with free apps, he said.