From time to time the news of malware discovered on Google Play spreads, to which Google responds by highlighting all the malware it has stopped its feet with with Google Play Protect and the promise of a more thorough review. Even so, malware is easy to find on Google Play: is in the top of downloads.
We didn’t have to search too far to come across a malicious app on Google Play, which isn’t even hiding too much. Under the guise of a PDF editor The first thing it does when it opens it is download another malicious app and encourage you to grant it special permissions.
Malware doesn’t hide
According to Tim Cook, loading applications from outside official stores poses the greatest threat to device security, but the truth is that it is not necessary to leave the store. Malware distributors know how bypass Google Play security, to make your applications available to a greater number of users.
With nearly 3 million apps on Google Play (according to Statista), malware could lurk anywhere on Google Play, but you don’t have to dig deep. At Top 169 applications for Spain you will find PDF +, with over 10,000 downloads and the promise of a PDF document editor to open, highlight and annotate. The description is a copy of the one from PDF Expert on the App Store.
With a perfect score of 5.0, with 38 votes, there seems to be no reason to distrust the application, which has professional-looking illustrative images highlighting its virtues (and which have little to do with what you will find when you install it). The screenshots appear to be from another app, called PDF Reader Pro.
Climbing to the top of the Google Play ranking is easy: all you need is fake or incentivized reviews and downloads
We have already seen how easy it is buy reviews on Google Play, a mechanism well known to those who distribute malware. With enough money and the promise of a reward, users are forced to download applications and leave positive reviews, causing them to rise in the download tops. It is quite common to find authentic junk apps at the top of Google Play. The surprise comes when you install it.
This app is a scam
After opening the application, the interface has little or nothing to do with the Google Play preview. When opening it, the first thing he does is ask you permission to install an update, which is kind of weird. Weirder still is that this update is an APK file that identifies itself as Flash Player. Yes, the same Flash Player that stopped having official support in 2012. Or, rather, not the same one, because it is all a sham.
At this point, many users will begin to suspect that there is something wrong with the application, but those who go ahead will finish installing what is called a banking trojan, a type of malware specialized in trying to steal banking credentials, directly from Google Play and with Play Protect looking the other way.
The first thing the app does is ask you to download and install an APK with a Trojan
When you open Flash Player, the application repeatedly insists that you activate it as an accessibility service. This will grant you permission to view and control the screen, as well as perform actions, interacting with applications on your behalf. Very useful permissions to steal credentials. Within the permissions required by the application are those of Contacts, SMS and Telephone.
While Google’s Play Protect never intervenes to prevent the installation, after extracting the APK of the application and uploading it to VirusTotal, the results speak for themselves: 13 antivirus detect them as malware. Most of them identify it as a banking Trojan.
Meanwhile, if we use the manual analysis of Play Protect, it is indicated that no harmful applications have been found, including this fake Flash Player among the applications that have been analyzed lately.
A detailed analysis of the APK of the application gives us some more clues. First, the package name com.jxmeaxvsxuiyll.nrdp it’s more of a keystroke than you’d expect from a real app.
If accessibility permission is given, the app takes control of the mobile and makes it difficult for you to close or uninstall it
The application manifest details that the application intercepts all kinds of events that happen on the mobile: when it is turned on, when the power button is pressed, each time the screen is turned on or off, each time it is turned on. load … Basically, any possible event reactivates the application.
Inside, there are links to products for sale on Chinese e-commerce sites such as TMall or Alibaba, as well as multiple references to Alipay, Taobao and QuickPay. It would take a specialized analysis to verify exactly the exact operation, which could be related to trying to get the user to enter their bank details when buying, to intercept them. We have tried to activate the application in an emulator, and take control of the mobile, for example preventing you from accessing its properties (to uninstall it or force its closure).
Not only that, but the application, having accessibility permission, controls the mobile by itself, granting itself permissions automatically. All this, remember, with an installation derived directly from an application downloaded from Google Play.
At this point, the only thing left to do is report the app to Google, something that although it is quite hidden, it is possible to do from Google Play on the mobile. One of the available options is “harmful to device / data”, which seems to fit quite well.
Now it’s up to Google to take action, and not only for this specific case, but for many other applications of poor quality or directly malicious that rise like foam in the download tops fraudulently. If not, there will not be much difference in terms of security between installing applications from inside or outside of Google Play.