Google’s Play Store has yet again found itself in damage control mode thanks to malicious apps being allowed for download by consumers. This incident involves three different apps and only proves further how much more effort the tech giant has to go in fighting against threat actors that can bypass the Play Store’s supposedly rigid vetting process.
The security breach was uncovered by researchers at Lookout and was subsequently covered in two separate blog posts. The first post concerned itself with two apps containing malware from the ViperRAT malware family, which Lookout states is “a known mobile advanced persistent threat (mAPT).” The apps in question were “chat” apps (VokaChat and Chattak) that had been downloaded, when combining both apps download statistics, over a thousand times.
ViperRAT was used in the past to perform phishing attacks on the Israeli Defense Force, namely so that IDF members would download surveillance software. Surveillance of private data was also likely the motivation behind this recent infection. Researchers, however, noted the following differences:
It is interesting that in these new samples, the chat functionality was fully implemented, something that is different from the previous samples. Furthermore, command and control infrastructure for the two samples remained active (at the time of writing) and even included the privacy statement that Google requires from developers who publish to the Play Store.
The third deleted app was infected with a combined set of malware with the names Desert Scorpion and FrozenCell. According to Lookout’s blog post on the matter, the malware in question was developed by a “single, evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East.” The targets appear to be individuals in Palestine as evidenced by a previous phishing campaign APT-C-23 carried out on Facebook.
Once again, surveillance was the core function of the malicious app as Lookout explained:
The surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if the victim has downloaded, installed, and interacted with the first-stage chat application. The chat application acts as a dropper for this second-stage payload app.
Cybercriminals are not stupid and Google seems to be underestimating them. It is unacceptable that so many malicious apps make their way into the Play Store without being caught by the built-in scanning mechanism implemented by Google. The company needs to fix this and fast if they want to retain customers.
Photo credit: Flickr / Bram.Koster