The Stealthy Tactic Targeting Android Apps

Reading Time: ( Word Count: )

August 3, 2023

Malicious entities are exploiting a tactic known as versioning to bypass Google Play Store’s malware detection and compromise Android devices.

In its August 2023 Threat Horizons Report, the Google Cybersecurity Action Team (GCAT) stated, “Campaigns employing versioning typically aim at users’ data, credentials, and financial resources.”

Although versioning is not novel, its subtlety and evasiveness make it a formidable technique. It involves a developer launching an initial, harmless version of an app in the Play Store, which passes Google’s pre-release checks, only to update it later with a malicious component.

The process involves dynamic code loading (DCL) to serve malicious code from an attacker-controlled server onto the user’s device, effectively transforming the app into a backdoor.

In May this year, ESET uncovered a covert operation with a screen recording app called “iRecorder – Screen Recorder.” The app remained benign for almost a year after its Play Store upload, after which harmful changes were surreptitiously introduced to spy on users.

Also Read: Unraveling the Adversarial Threats to ChatGPT and Beyond

The infamous SharkBot is another instance of malware that uses DCL. Frequently appearing on the Play Store under the guise of security and utility apps, SharkBot is a financial trojan that carries out unauthorized money transfers from infiltrated devices using the Automated Transfer Service (ATS) protocol.

Malware providers deploy dropper applications that initially possess minimal functionality. Once victims install these applications, a full malware version is downloaded to avoid detection.

The report highlights the necessity of robust defense principles in an enterprise setting, such as restricting app installation sources to trusted platforms like Google Play or managing corporate devices via a mobile device management (MDM) platform.

These observations are concurrent with ThreatFabric’s revelation that malicious app creators have been exploiting an Android bug to present harmful apps as safe by “manipulating components of an app” such that the app remains valid, as reported by KrebsOnSecurity.

In June, Dutch cybersecurity firm ThreatFabric also noted, “Malevolent actors can have several apps simultaneously published in the store under various developer accounts, but only one is malicious, while the other is a reserve to be used after takedown.”

This strategy helps these actors maintain prolonged campaigns and minimizes the time needed to publish another dropper to continue the distribution campaign.

To safeguard against potential threats, it is advised that Android users rely on trusted sources for app downloads and activate Google Play Protect to get alerts when a potentially harmful app (PHA) is detected on their device.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *