Android malware lurks in Google Play Store via version control

The Google Cloud Security team recently said that malicious actors, after evading the Google Play Store's review process and security controls, use a common tactic known as version control to plant malware on Android devices.

The technique introduces malicious payloads by providing updates to installed apps or by loading malicious code from servers controlled by the threat actor through what is known as dynamic code loading (DCL).

It allows attackers to bypass static analytics checks in app stores and deploy payloads as native, Dalvik or JavaScript code on Android devices.

Google mentioned in this year's Threat Trends report that one way malicious actors try to circumvent Google Play security controls is version control.

For example, a developer will release an initial version of an application to the Google Play App Store that appears legitimate and passes Google's checks. But then the user receives an update alert from a third-party server, at which point the code on the end-user's device is altered so that the threat actor can execute malicious activity that enables version control.

Google says that all apps and patches submitted to the Play Store are subject to rigorous PHA (Potentially Harmful Application) screening, but "some of those controls" are bypassed by DCL.

For its part, Google says that apps with this type of activity violate the Google Play Deceptive Behavior Policy and could be labeled as backdoors.

According to the company's Play Policy Center guidelines, apps published through Google Play are prohibited from being changed, replaced or updated in any way other than through the official update mechanism provided by Google Play.

Additionally, apps are strictly prohibited from downloading executable code (such as dex, JAR, or .so fileso) from external sources to the official Android app store.

Google also highlighted a malware variant called SharkBot, which was first discovered by Cleafy's Threat Intelligence team in October 2021. SharkBot is a banking malware that, after compromising an Android device, makes unauthorized transfers via the Automated Transfer Service (ATS) protocol.

In order to avoid detection by the Play Store system, SharkBot's threat makers employed a now-common tactic of releasing a limited-featured version of their app on Google Play, masking the suspicious nature of their app.

However, once a user downloads the Trojan app, the full version of the malware is downloaded.

Disguised as an Android antivirus and various system utilities, Sharkbot managed to infect thousands of users through the Google Play store's malicious behavior submission checks.

Cybersecurity journalist Brian Krebs highlighted a different mobile malware obfuscation technique recently announced by ThreatFabric security researchers. This method effectively cracks Google's app analysis tool, preventing it from scanning for malicious APKs (Android application packages). As a result, these harmful APKs can be successfully installed on a user's device even though they are marked as invalid.