Zscaler Discovers More Than 50 Malicious Apps In The Google Play Store

Zscaler discovers more than 50 malicious apps in the Google Play Store

Together, they amount to more than 300,000 downloads. The apps spread several malware families. They steal confidential data and book unwanted WAP subscriptions.

The ThreatLabz of the security provider Zscaler have once again found malware in Google’s Play Store. According to the researchers’ analysis, more than 50 malicious apps made it past Google’s controls and into the official Android marketplace. They infiltrate the malware families Joker, Facestealer and Coper, which are capable of stealing data, hijacking social media accounts and subscribing to unwanted premium services

Google already has the researchers’ findings. As a result, the company was able to remove the malicious apps from the Play Store. However, users who have downloaded one of the malicious apps still have to remove it manually from their devices.

The malware family Joker accounts for the largest share of the malicious apps. Zscaler’s report lists 50 infected apps that collectively made it to more than 300,000 downloads in the Play Store. More than half were communication apps. They usually require important permissions, but these also allow those behind them to perform malicious actions.

Joker is known to steal information such as SMS and address books from compromised devices. Joker also registers the mobile phone numbers of its victims for WAP subscriptions, which are billed via the mobile phone bill. In Germany, however, users have the option to object in principle to the billing of third-party services via their mobile phone bill.

According to the researchers, the Android installation files (APK format) downloaded via the Play Store already contain the actual malicious code. However, it is hidden in so-called asset files in formats such as JSON, TTF or PNG and also encoded in Base64. “Many joker apps hide the payload in the assets folder of the Android Package Kit (APK) and create an ARM ABI executable to avoid detection by most sandboxes based on the x86 architecture,” Zscaler explained.

An app called Vanilla Snap Camera with around 5000 downloads contained the Facestealer malware. Its job is to steal Facebook account credentials using fake login pages displayed as overlays. Finally, Coper was developed to intercept SMS messages and send malicious SMS itself. The researchers discovered Coper in an app called Unicc QR Scanner. However, the app did not contain any malicious code immediately after installation. The malicious code was only installed after the first start via an incorrect software update.