Every now and then, news of malware discovered on Google Play spreads, to which Google responds by highlighting all the malware it has blocked with Google Play Protect and promising further examination. Even like that, it is easy to find malware on Google Play: is in the top downloads.
We didn’t have to look too hard to come across a malicious app on Google Play, which isn’t even hiding too much. Under cover a PDF editor The first thing it does when it opens is download another malicious app and encourage you to grant it special permissions.
Malware doesn’t hide
According to Tim Cook, loading apps from outside of official stores is the biggest threat to device security, but the truth is, you don’t have to leave the store. Malware Distributors Know How bypass google play security, to make your applications accessible to a greater number of users.
With nearly 3 million apps on Google Play (according to Statista), malware could be lurking anywhere on Google Play, but you don’t have to dig deep. In the Top 169 apps for Europe you’ll find PDF +, with over 10,000 downloads and the promise of a PDF document editor to open, highlight, and annotate. The description is a copy of the PDF Expert description on the App Store.
With a perfect score of 5.0, with 38 votes, there doesn’t seem to be any reason to be wary of the app, which has professional-looking illustrative images that showcase its virtues (and that have little to do with what you will find by installing it). The screenshots appear to be from another application, called PDF Reader Pro.
It’s easy to climb to the top of the Google Play rankings – all you need are fake or incentive reviews and downloads.
We have already seen how easy it is buy reviews on Google Play, a mechanism well known to those who distribute malware. With enough money and the promise of a reward, users are forced to download apps and leave positive reviews, which pushes them up to the top downloads. It is quite common to find genuine unwanted apps at the top of Google Play. The surprise comes when you install it.
This app is a scam
After opening the app, the interface has little or nothing to do with the Google Play preview. When opening it the first thing it does is ask you permission to install an update, which is a little weird. Stranger still, this update is an APK file that identifies itself as Flash Player. Yes, the same Flash Player that ceased to have official support in 2012. Or, rather, not the same, because it’s just a sham.
At this point, many users will start to suspect that there is something wrong with the app, but those who go ahead will end up installing what is called a banking trojan, a type of malware that specializes in attempting to steal bank credentials, straight from Google Play and with Play Protect looking the other way.
The first thing the app does is ask you to download and install an APK with a Trojan horse.
When you open Flash Player, the application repeatedly insists that you activate it as an accessibility service. This will allow you to view and control the screen, as well as perform actions by interacting with apps on your behalf. Very useful permissions for stealing credentials. In the permissions required by the application are those of Contacts, SMS and Phone.
While Google’s Play Protect never steps in to prevent installation, after extracting the APK from the app and uploading it to VirusTotal, the results speak for themselves: 13 antiviruses detect them as malware. Most of them identify it as a banking Trojan.
Meanwhile, if we use the manual scan of Play Protect, it is stated that no harmful application was found including this bogus Flash Player among the applications which were scanned lately.
a detailed APK analysis of the app gives us some additional clues. First, the name of the package com.jxmeaxvsxuiyll.nrdp it’s more of a keystroke than you would expect from a real app.
If accessibility permission is given, the app takes control of the mobile and makes it difficult to close or uninstall it
The app manifesto details that the app intercepts all kinds of events that occur on the mobile: when it is on, when the power button is pressed, whenever the screen is on or off. , each time it is turned on. .. Essentially, any eventual event reactivates the application.
Inside, there are links to products for sale on Chinese e-commerce sites like TMall or Alibaba, as well as multiple references to Alipay, Taobao and QuickPay. It would take specialist analysis to verify exactly the exact transaction, which could be related to trying to trick the user into entering their bank details during the purchase, to intercept them. We tried to activate the app in an emulator, and take control of the mobile, for example preventing you from accessing its properties (to uninstall it or force it to close).
Not only that, but the app, having accessibility permission, controls the mobile by itself, Automatically grant yourself permissions. All of this, remember, with a derivative installation directly from an app downloaded from Google Play.
At this point, it only remains report the app to Google, something that although it is quite hidden, it is possible to do it from Google Play on the mobile. One of the options available is “harmful to device / data”, which seems to work well enough.
We reported the app to Google
Now it’s up to Google to act, and not just for this specific case, but for many other poor quality or directly malicious applications that rise like froth on fraudulent download tops. Otherwise, there won’t be much difference in terms of security between installing apps inside or outside of Google Play.
