{"id":49579,"date":"2023-11-09T09:36:58","date_gmt":"2023-11-09T14:36:58","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=49579"},"modified":"2023-11-14T05:05:49","modified_gmt":"2023-11-14T10:05:49","slug":"malware-in-google-play-2023","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/malware-in-google-play-2023\/49579\/","title":{"rendered":"Google Play malware clocks up more than 600 million downloads in 2023"},"content":{"rendered":"

Users tend to think it\u2019s safe to install apps from Google Play. After all, it\u2019s the most official of all official stores for Android, and all apps there are thoroughly vetted by Google moderators, right?<\/p>\n

Bear in mind, however, that Google Play is home to more than three million unique apps<\/a>, most of which get updated regularly, and to vet all of them thoroughly \u2014 that is, really <\/em>thoroughly \u2014 is beyond the resources of even one of the world\u2019s largest corporations.<\/p>\n

Well aware of this, makers of malicious apps have developed a number of techniques to sneak their creations onto Google Play. In this post, we take a look at the most headline-grabbing cases of 2023 regarding malicious apps on the official Android store, with total downloads in excess of \u2014 wait for it \u2014 600 million. Let\u2019s go!\u2026<\/p>\n

50,000 downloads: infected iRecorder app eavesdrops on users<\/h2>\n

Let\u2019s start with the fairly minor, but quite interesting and highly illustrative case of iRecorder. This unremarkable screen-recording app for Android smartphones was uploaded to Google Play in September 2021.<\/p>\n

But then, in August 2022, its developers added some malicious functionality: code from the remote access Trojan AhMyth, which caused the smartphones of all users who had installed the app to record sound from the microphone every 15 minutes and send it to the server of the app creators. By the time researchers discovered the malware<\/a> in May 2023, the iRecorder app had been downloaded more than 50,000 times.<\/p>\n

This example demonstrates one of the ways in which malicious apps creep into Google Play. First, cybercriminals upload an innocuous app to the store that\u2019s guaranteed to sail through all moderation checks. Then, when the app has built an audience and some kind of reputation (which can take months or even years), it\u2019s augmented with malicious functionality in its next update uploaded to Google Play.<\/p>\n

620,000 downloads: Fleckpe subscription Trojan<\/h2>\n

Also in May 2023, our experts found several apps on Google Play<\/a> infected with the Fleckpe subscription Trojan. By that time, they\u2019d already chalked up 620,000 installs. Interestingly, these apps were uploaded by different developers. And this is another common tactic: cybercriminals create numerous developer accounts in the store so that even if some get blocked by the moderators they can just upload a similar app to another account.<\/p>\n

\"Apps<\/a>

Apps on Google Play infected with the Fleckpe subscription Trojan<\/p><\/div>\n

When the infected app was run, the main malicious payload was downloaded to the victim\u2019s smartphone, after which the Trojan connected to the command-and-control server and transferred country and cellular operator information. Based on this information, the server provided instructions on how to proceed. Fleckpe then opened web pages with paid subscriptions in a browser window invisible to the user, and by intercepting confirmation codes from incoming notifications subscribed the user to needless services paid for through the cellular operator account.<\/p>\n

1.5 million downloads: Chinese spyware<\/h2>\n

In July 2023, Google Play was found to be hosting<\/a> two file managers \u2014 one with one million downloads, the other with half a million. Despite the developers\u2019 assurances that the apps don\u2019t collect any data, researchers found that both transmitted a lot of user information to servers in China, including contacts, real-time geolocation, data about the smartphone model and cellular network, photos, audio and video files, and more.<\/p>\n

\"File<\/a>

File managers on Google Play with Chinese spyware inside. Source<\/a><\/p><\/div>\n

To avoid being uninstalled by the user, the infected apps hid their desktop icons \u2014 another common tactic used by mobile malware creators.<\/p>\n

2.5 million downloads: background adware<\/h2>\n

In a recent case of malware detection on Google Play in August 2023, researchers found<\/a> as many as 43 apps \u2014 including, among others, TV\/DMB Player, Music Downloader, News, and Calendar \u2014 that secretly loaded ads when the user\u2019s smartphone screen was off.<\/p>\n

\"Apps<\/a>

Some of the apps with hidden adware. Source<\/a><\/p><\/div>\n

So as to be able to carry out their business in the background, the apps requested the user to add them to the list of power-saving exclusions. Naturally, affected users experienced reduced battery life. These apps had a combined total of 2.5 million downloads, and the target audience was primarily Korean.<\/p>\n

20 million downloads: scammy apps promise rewards<\/h2>\n

A study published in early 2023 revealed several shady apps<\/a> on Google Play with more than 20 million downloads between them. Positioning themselves primarily as health trackers, they promised users cash rewards for walking and other activities, as well as for viewing ads or installing other apps.<\/p>\n

\"Scam<\/a>

Apps on Google Play promising rewards for walking and viewing ads. Source<\/a><\/p><\/div>\n

More precisely, the user was awarded points for these actions, which could then supposedly be converted into real money. The only trouble was that to get a reward, you had to amass such a huge number of points that it was effectively impossible.<\/p>\n

35 million downloads: Minecraft clones with adware inside<\/h2>\n

Google Play also became home to malicious games this year, with the main culprit (and not for the first time<\/a>) being Minecraft \u2014 still one of the most popular titles in the world. In April 2023, 38 Minecraft clones were detected<\/a> in the official Android store, with a total of 35 million downloads. Hidden inside these apps was adware called, appropriately enough, HiddenAds.<\/p>\n

\"Adware-infected<\/a>

Block Box Master Diamond \u2014 the most popular of the Minecraft clones infected by HiddenAds. Source<\/a><\/p><\/div>\n

When the infected apps were launched, they \u201cdisplayed\u201d hidden ads without the user\u2019s knowledge. That didn\u2019t pose a serious threat per se, but such behavior could have affect device performance and battery life.<\/p>\n

And those infected apps could always be followed up later by a far less harmless monetization scheme. This is another standard tactic of Android malware app creators: they readily switch between different types of malicious activity depending on what\u2019s profitable at any given moment.<\/p>\n

100\u00a0million downloads: data harvesting and click fraud<\/h2>\n

Also in April 2023, another 60 apps<\/a> were found on Google Play infected with adware that researchers dubbed Goldoson. These apps collectively had more than 100 million downloads on Google Play and a further eight million on the popular Korean ONE store<\/a>.<\/p>\n

This malware also \u201cshowed\u201d hidden ads by opening web pages within the app in the background. In addition, the malicious apps collected user data \u2014 including information about installed apps, geolocation, addresses of devices connected to the smartphone via Wi-Fi and Bluetooth, and more.<\/p>\n

Goldoson seems to have gotten into all these apps along with an infected library used by many legitimate developers that were simply unaware that it contained malicious functionality. And this isn\u2019t an uncommon occurrence: often malware creators don\u2019t develop and publish apps on Google Play themselves, but instead create infected libraries of this kind that end up in the store along with other developers\u2019 apps.<\/p>\n

451 million downloads: mini-game ads and data harvesting<\/h2>\n

We close with the biggest case of the year: in May 2023, a team of researchers found<\/a> a whopping 101 ineligible apps on Google Play, with combined downloads of 421 million. Lurking inside each and every one of them was a SpinOk code library.<\/p>\n

Shortly after that, another team of researchers discovered 92 more apps<\/a> on Google Play with the same SpinOk library, with a slightly more modest number of downloads \u2014 30 million. In all almost 200 apps containing SpinOK code were found, with a total of 451 million downloads from Google Play between them. This is another case where dangerous code was delivered into applications from a third-party library.<\/p>\n

\"Mini-games<\/a>

Mini-games promising \u201crewards\u201d that showed users applications containing SpinOk code. Source<\/a><\/p><\/div>\n

On the surface, the infected apps\u2019 task was to display intrusive mini-games promising cash rewards. But that wasn\u2019t all: the SpinOK library had the ability to collect and send user data and files to its developers\u2019 command-and-control server in the background.<\/p>\n

How to guard against malware on Google Play<\/h2>\n

Of course, we haven\u2019t covered all the cases of malicious apps getting onto Google Play in 2023 \u2014 only the most eye-catching. The main takeaway from this post is this: malware on Google Play is far more common than any of us would like to think \u2014 infected apps have a combined download total in excess of half a billion!<\/p>\n

Nevertheless, official stores remain by far the safest sources. Downloading apps elsewhere is far more dangerous, for which reason we strongly advise against it<\/a>. But you must exercise caution in official stores as well:<\/p>\n