Google Play Store Warning—Do Not Install These Apps On Your Phone


New warning as millions of phones infected with dangerous malware

NurPhoto via Getty Images

Updated on September 26 with new report into increased threats from mobile malware, with Android again falling significantly behind iOS.

Google is cleaning up Android. The longtime app free-for-all is coming to an end, with a Play Store cull and tightening of restrictions around sideloading now hitting users, and Play Protect soon to be enhanced with Android 15’s live threat detection. All this is intended to close the gap to iOS and the locked down iPhone ecosystem.

But we still see frequent warnings for users that very serious risks still remain. And that’s certainly the case this week, with two separate security reports. First to Kaspersky, which has warned of the risks from “modified versions of Spotify, WhatsApp, Minecraft, and other apps from Google Play.”

ForbesSamsung’s Update Mistake—Bad News For Millions Of Galaxy Phone OwnersBy Zak Doffman

The researchers again highlight the dangers of the Necro Trojan, first reported on in 2019, when they “discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play. Now the ‘necromancers’ have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites.”

Kaspersky says it found the trojan on a Spotify mod distributed outside Play Store, but also hiding in Wuta Camera, which “found its way onto Google Play, from where the app was downloaded more than 10 million times.”

Wuta Camera—Play Store malware

Kaspersky

The advice is simple. No to third-party stores, and a bigger no to mods for popular apps from unofficial sources. But “apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.”

The trojan has evolved and its obfuscation is far advanced over its earlier iterations. Its intent remains the same, though: “Load and run any DEX files, install downloaded apps, tunnel through the victim’s device, and even—potentially—take out paid subscriptions. In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.”

The second warning comes from Cleafy, which warns that in June it “identified an unclassified Android banking Trojan… a variant of TrickMo, albeit with newly incorporated anti-analysis mechanisms.”

TrickMo is an evolution of the infamous TrickBot, again with more advanced obfuscation and proactive masking from analysis to hinder discovery. Again TrickMo was first identified back in 2019, and so we see the common pattern again, as these threats evolve and harden as the constant game of cat and mouse continues, as the various defenses put in place around phones and stores improve.

TrickMo’s bag of tricks is impressively complete and includes:

Interception of One-Time Passwords (OTPs)
Screen Recording and Keylogging
Remote Control Capabilities
Accessibility Service Abuse
Advanced Obfuscation Techniques
Anti-Analysis Mechanisms

Again, not something you want on your phone. This malware is distributed by way of a fraudulent Chrome browser update, but one that when installed prompts users with “a warning message prompting users to update Google Play services.”

According to Cleafy, “the new app is deceptively named ‘Google Services’ and poses as a legitimate instance of Google Play Services. Upon launching, the app displays a window to ask the user to enable Accessibility services for the app.” This neat social engineering, disguising malware behind trusted names is unsurprisingly effective.

Play Services hijack

Cleafy

The common thread here is clear. Do not trust mods or updates or even initial installs of popular apps from anything other than official stores. Do not fall for unofficial mods from anything other than source. And even pay attention to official stores installs for trivial apps from unfamiliar developers.

In response to the new reports, a Google spokesperson told me that “all of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

Google assured that Play Protect will defend users against both Necro and TrickMo. It really is essential that users ensure Play Protect is enabled on devices; once threats are confirmed, this will defend you against infection by any future instances.

Talking of new threats, a third report into new Android malware in short succession has just been released. Again, continuing the theme, ThreatFabric warns that a new Octo variant is targeting users while “masquerading as masquerading as Google Chrome, NordVPN, and Enterprise Europe Network applications.”

Octo itself, part of the Exobot family, is so well established, that the researchers warn that “the discovery of a new version, named ‘Octo2’ by its creator, could potentially shift the threat landscape and the Modus Operandi of the actors behind it.”

Octo2 campaigns masquerading as Chrome and NordVPN

ThreatFabric

Again, continuing the theme this is a case of an evolving malware rather than a totally new threat. “The first samples of the Exobot malware family were seen in 2016. At that time, it was a banking trojan capable of performing overlay attacks and controlling calls, SMS, and push notifications.” The evolution from Exobot to ‘ExobotCompact’ (Octo) came three years later, in 2019.

ThreatFabric says it has detected Octo activity through Malware-as-a-Service campaigns as far afield as “Europe, the USA, Canada, the Middle East, Singapore, and Australia.” The rental of the malware works to accelerate its spread, leveraging multiple other threat actors and the required hardware and obfuscation. The new malware variant, Octo2, is expected to seamlessly replace its predecessor and thus leverage established channels to market.

The researchers say “Octo2’s settings contain traces of multiple applications and apps being on the radar of the actors… It means that once Octo2 detects a push notification from one of the apps on the list, it will intercept it and not show it to the victim. The presence of the app on the list means that it is of interest to cybercriminals, and they are already preparing to attack its users.”

Again as elsewhere, Octo2 uses a fraudulent “Google” notification pop-up to trick Android users into bypassing device restrictions to enable the malware to run. Unsurprisingly, material changes have been made in this latest iteration—but the intent remains to steal app-specific banking credentials through targeted campaigns.

ForbesNew Microsoft Windows Warning—You Must Never Do This On Your PCBy Zak Doffman

“The emergence of the Octo2 variant signals future challenges for mobile banking security, as its enhanced capabilities and wider usage pose significant risks… Octo2 builds on (its) foundations with even more robust remote access capabilities and sophisticated obfuscation techniques. This makes it harder for security systems to detect and remove it, increasing the malware’s longevity and potential impact.”

Octo may be changing, but the advice for users remain the same; here’s a refresh on the other golden rules for staying safe:

Stick to official app stores—don’t use third party stores and never change your device’s security settings to enable an app to load.
Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
Once a month, scan through your phone and delete a few of the apps you no longer need or haven’t used in a long time.
Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.

To round out a week off malware concerns, Zimperium’s 2024 Global Mobile Threat Report has just been published and makes for stark reading. “With its widespread accessibility and immense scale, malware has become the weapon of choice for nearly every cybercriminal. Mobile malware rapidly spreads and extensively disrupts systems, with millions of unique variants and new malicious apps emerging daily.”

And while Play Protect and other Android defenses have advanced significantly in recent years, the threat landscape is evolving as quickly. “Zimperium researchers analyzed over 859k malware samples detected in the wild. On average, that equates to over 16,500 new malware samples a week. Remarkably, 72% of the malware samples were completely unknown at the time of detection.”

Clearly, this covers new families but more likely the iteration of existing threats, where new initial lures and obfuscation extends the life of core malware. There are no real surprises in the report, which makes it even more critical that users follow the good hygiene rules above—especially when they are walking their phones into their places of work and connecting to enterprise systems.

The stats are dire and “contrary to perception,” Zimperium warns, “app stores are not responsible for preventing every malicious app from getting in or protecting apps from abuse. With more than 300 public app stores, 1,300 device manufacturers, and constant OS updates, enterprise mobile device risk postures become very dynamic. Because so few enterprises prioritize the security of mobile apps and devices, this becomes the attack surface of choice. Recognizing these vulnerabilities, attackers have adopted a ‘mobile first’ attack strategy as mobile presents a large, unsecured, and unmanaged attack surface for entry to the network and to corporate data.”

The good news for Android users sticking rigidly to Play Store, though, is that unsurprisingly the risks are exponentially increased when sideloading. Little surprise then that Google, Samsung and others are finally clamping down on third-party app store access and direct installs, while the Play Protect umbrella has been expanded to cover apps from whatever source and Android 15’s new live threat detection should take that further still when it starts to reach devices later this year.

Mobile threat report—malware’s geographic spread

Zimperium

“Our research,” Zimperium says, “indicates that globally, users who engage in sideloading are 200% more likely to have malware running on their devices than those who do not. In fact, sideloading is a great contributor to malware risk; in 8.3% of cases where malware was detected, the source can be traced back to a sideloaded application… In the most severe cases, sideloading apps can lead to a complete mobile device compromise, granting remote attackers full control.”

Zimperium calls out Verizon’s Data Breach Investigations Report (DBIR) for this years which warns that “mobile devices are the fastest- growing attack vector, with mobile malware detections rising by 51% year-over-year.”

It also repeatedly highlights the trojan (of a different kind) enterprise risk with employees bringing in devices that may or not have been fully secured, and have a high risk of carring malware inside the corporate shield. “Nearly 67% of employees use personal devices for work, regardless of whether their company has a formal bring-your-own-device (BYOD) policy. Alarmingly, 70% of businesses fail to adequately secure personal devices used for work purposes. This lack of security likely increases the actual risk, reinforcing the belief held by 55% of professionals that smartphones are the most exposed endpoints in their organization.”

ForbesGoogle’s New Tracking Nightmare Confirmed For 3 Billion Chrome UsersBy Zak Doffman

Again, Zimperium’s report highlights the additional risks within the Android ecosystem, given the repvalence of sideloading, the mix of OEMs, the looser control over permissions (albeit that’s changing), and the much larger percentage of devices that have fallen out of support. All set against a worsening threat landscape.

“When it comes to platform vulnerabilities, 2023 witnessed a surge in identified Common Vulnerabilities and Exposures (CVEs) among both Android and iOS. The zLabs research team detected 1,421 CVEs in Android devices tested, representing a 58% increase from 2022. Sixteen of these vulnerabilities were exploited in the wild, which means they were exploited within the real world, rather than test environments. iOS devices tested saw 269 CVEs, representing a 10% increase, 20 of them being exploited in the wild.”


https://www.forbes.com/sites/zakdoffman/2024/09/26/google-play-store-new-app-warning-for-pixel-9-pro-samsung-galaxy-s24-android/