Applications in Google Store that carry malware
Mobile malware is becoming increasingly common and hackers are ceaselessly trying to invent new ways of hacking into your smartphone or tablet through different malicious apps. Recently, researchers from both SfyLab and Zscaler have reported the presence of two harmful malware applications that seem to have bypassed Google Store’s security measures and are currently available at the Store. The names of the shady applications are Earn Real Money Gift Cards and Bubble Shooter Wild Life, both created by a developer known as Boris Block. So far, the download count of those apps does not go above 5 000. Both research teams have reported to Google their discovery and it seems that the malicious applications have been taken down from the Store. That said, it is possible that the developer of the apps might try to infiltrate the Store once again with some other malicious piece of software, especially since the security scans have not been able to stop the malware apps the first time.
About the malicious apps
The first of the two mentioned harmful apps carries the so called BankBot. BankBot is known for its ability to remain under the radar of Google Store and to not get targeted as actual malware. It is primarily used to gain the banking account credentials of the targeted victims by tricking the users into filling the credentials in a form that is made to look as some sort of verification requirement. However, since the said form is generated by the malware app, the hacker would instantly gain access to your banking accounts should make the mistake of typing your credentials. This malware has been around since December last year and so far there have been seven waves of attacks by it according to the researchers at SfyLab which further confirms just how insidious and stealthy this type of harmful software is.
However, both researchers put their emphasis on the second of the two malicious apps – the mobile game called Bubble Shooter Wild Life, saying that it is a unique form of malware that has never been seen before. It is said to exploit the Accessibility Android feature allowing the hacker who uses the malware to gain control over the device remotely. The virus belongs to the so-called dropper category of malware which is known for allowing the hacker to install additional malicious software on the device once the dropper has infected the smartphone or the tablet. What’s unique about Bubble Shooter Wild Life is that it additionally enables the Installation from Unknown Sources setting on the infected device.
How those Trojans exploit the Accessibility setting
Most such malicious apps normally come disguised as a legitimate software in order to trick the user into installing them. For example, some Banking Trojans are made to appear exactly like Adobe Reader or some other similar app. Once the user opens the disguised malware, the Trojan would issue a permission request in order to gain the access it needs to fulfill its agenda. If the customer makes the mistake of giving their agreement, the malware would gain Administrator Rights on the device and would operate from a separate Administrator account without the user’s knowledge. This would allow the hacker to generate pop-ups on the infected device which require the user to fill their credit/debit card details. Of course, if one manages to realize in time that this is a ruse, they could still save their money by not filling anything in those pop-ups. However, it must be noted that if Trojans such as these are granted Accessibility, they would be rather tricky to remove as they wouldn’t allow a simple uninstall to take place. In such instances, the phone must be booted in Safe Mode in order to carry out the uninstallation.
The dropper malware from Bubble Shooter Wild Life is still in development!
The aforementioned researchers have also pointed out that during their tests, the dropper Trojan had failed at different stages of the infection. This suggests that the virus is still undergoing development and is not yet finalized. That said, the malware was still able to bypass Google Store’s security and the implications of this are not good. After all, if a virus that is still in development manages to easily infiltrate the Store, the issue would be even greater once the Trojan gets improved.
So far, it is believed that the main reason why this malware manages to get inside the Store without getting detected is because it does not initially display any malware behavior. Both of the apps mentioned in this article are said to delay the execution of any malicious activity with twenty minutes – enough time for the scanning from Google to be over and for the malicious applications to be marked as legitimate.