Fraudulent Android app developers have been discovered trying to manipulate Google’s Play Store security by removing suspicious code before adding it back in to see what trips detection systems.
The behaviour was noticed by security company White Ops in two previously fraudulent apps, which it says raises an interesting question: if a fraudulent app developer deactivates the part of an app that makes its behaviour fraudulent, is that app still a fraud app?
The apps were among a small haul of 38 beauty-themed apps the company detected from the same developer which were reported to Google for bombarding users with unwanted ads.
As well as serving out of context ads at every opportunity, the apps also sent users to websites and made it difficult to de-install the apps using techniques such as hiding icons from the home screen and apps folder.
But how did the apps get there in the first place?
This has become a bit of an issue for Google’s security team in recent years. A security vendor or researcher spots multiple apps on the Play Store doing something bad, tells Google, which eventually removes the apps after confirming they’re malevolent.
Of course, uploaded apps are monitored by Google’s automated security checks before being accepted but this system can be bypassed, as the steady but unchecked stream of bad app discoveries confirm.
It’s not as hard to beat detection systems as it should be. Malicious developers have a range of techniques such as binary packing and even Arabic Unicode to hide malicious code in ways that are hard to spot without employing humans to look at each app and update.
Sometimes, apps contain no fraudulent code at all and simply exploit loopholes in Google’s licensing to do sometimes outrageous things such as charge users hundreds of dollars to continue using them.
But the bigger failure here isn’t that apps are able to sneak on to the Play Store but how long they remain there.
In this incident, the average time it took Google to remove apps was 17 days, with at least one left on the Play Store for three months. That doesn’t sound long until you hear that:
Even with an average of less than three weeks of time on the Play Store, the apps found an audience: the average number of installs for the apps we analyzed was 565,833.
Then the developer unexpectedly updated two apps containing malicious code so that most of the problem behaviour was deactivated.
That’s deactivated, not removed – the change was simply made using a command and control (C2) function, leaving the problem code intact but dormant inside the apps.
According to White Ops, the two tweaked apps are possibly an attempt to work out which criteria Google’s systems use to spot that apps are fraudulent.
In that scenario, the apps might be updated several times, each one activating a different part of the malicious behaviour, until Google detects its malicious intent.
Google took down the apps discovered by White Ops in 2019 but it’s hard not to be left with the impression that Google’s ongoing battle to banish bad apps has a struggle ahead of it.
Mahhn
It’s long over due for them to redesign their evaluation and approval system for malware, err I mean goog approved apps on the play store.
Maybe goog should go after evil developers like Ebay goes after critics…………
Mahhn
My last line was sarcasm (go after). I forget some people misinterpret and I should note it.
Keith
Is this not a criminal act?
David
In answer to the (perhaps rhetorical) question in paragraph 2, Yes it is still a fraud app and both it and the developer(s) should be kicked off, with no return allowed.
The world has plenty enough of honest developers with legitimate apps that it doesn’t need the efforts of these criminals.
Deidre Patterson
Sucked in…wtf…do you not require proof of concept????that they actually pay out???