Researchers from Bitdefender have shared details about dozens of apps on the Google Play Store that camouflage themselves behind false pretenses and then hide their presence once installed using several tricks, including changing their names and icons. “Sadly, the findings are not surprising at all,” Dr. Johannes Ullrich, Dean of Research at SANS Technology Institute, told Lifewire in an email interview. “The Google Play store has frequent problems identifying and eliminating malicious apps.”
Pulling a Fast One
Commenting on the modus operandi of the apps, Bitdefender said the apps trick users into installing them by pretending to offer specialized functionality, like a location finder or a camera app with filters. But immediately after installation, the apps change their name and icon, which makes them virtually impossible to find and uninstall. To hide in plain sight, some apps change their name to Settings and their logo to the gears icon usually associated with the Settings app. When clicked, the apps launch the actual Settings app of the phone to complete their deception successfully. This way, most users cannot find the actual malicious app they just installed. In the background, though, the apps will begin spewing intrusive advertisements. Interestingly, the apps use yet another trick to ensure they don’t show in the list of the most recently used apps on Android. “Bad actors will always try to deploy tampered or cloned apps for many reasons: to inject malware, disrupt financial transactions, divert advertising revenue, or simply to steal data,” George McGregor, VP at mobile app protection experts Approov, told Lifewire via email. While the apps identified in the research are known as adware, since all they serve is irritating advertisements, Bitdefender says those apps can just as easily fetch and serve a more dangerous type of malware. “While all of the detected apps are clearly malicious, the developers were able to upload them to the Google Play Store, offer them to users and even push updates that made the apps better at hiding on devices,” said Bitdefender. Despite the fact that Google hasn’t been able to completely stop such fake apps from being available on the Play Store, McGregor said people shouldn’t go to a third-party app store. Dr. Ullrich agreed. “Users are still better off limiting downloads to the Google Play store,” he said. “But they need to understand that the Google approval process is not very robust.”
Less Is More
The 35 malicious apps Bitdefender has identified as part of their research have download counts ranging from 10,000 to 100,000 and have clocked over two million downloads between them. Bitdefender told Lifewire over email that it had informed Google about the malicious apps before it was published. Surprisingly, as of August 18, most if not all apps were still available for download. To avoid becoming a victim of these fraudulent apps, Bitdefender suggests carefully examining their requested permissions. For instance, any app that requests the ability to draw over other apps should be subject to further tests. Listing several parameters to judge an app’s genuineness, Dr. Ullrich recommends examining the date the app was uploaded since apps that have been listed for a while are less likely to be malicious. “Do not install too many apps,” said Dr. Ullrich. “Discard apps you haven’t used in a while or do not even remember what they do.” Approaching the issue from a different perspective, McGregor pointed out that there are tools for app attestation that can completely prevent apps from being cloned or modified, ensuring that only a genuine copy of the app is allowed to run and access data. “Some individual app developers protect their apps in this way already,” said McGregor. “But it may be in the interests of Google to require that such app attestation be in place for any app deployed on the Play Store.”