The Stealthy Tactic Targeting Android Apps

Reading Time: ( Word Count: )

August 3, 2023

Malicious entities are exploiting a tactic known as versioning to bypass Google Play Store’s malware detection and compromise Android devices.

In its August 2023 Threat Horizons Report, the Google Cybersecurity Action Team (GCAT) stated, “Campaigns employing versioning typically aim at users’ data, credentials, and financial resources.”

Although versioning is not novel, its subtlety and evasiveness make it a formidable technique. It involves a developer launching an initial, harmless version of an app in the Play Store, which passes Google’s pre-release checks, only to update it later with a malicious component.

The process involves dynamic code loading (DCL) to serve malicious code from an attacker-controlled server onto the user’s device, effectively transforming the app into a backdoor.

In May this year, ESET uncovered a covert operation with a screen recording app called “iRecorder – Screen Recorder.” The app remained benign for almost a year after its Play Store upload, after which harmful changes were surreptitiously introduced to spy on users.

Also Read: Unraveling the Adversarial Threats to ChatGPT and Beyond

The infamous SharkBot is another instance of malware that uses DCL. Frequently appearing on the Play Store under the guise of security and utility apps, SharkBot is a financial trojan that carries out unauthorized money transfers from infiltrated devices using the Automated Transfer Service (ATS) protocol.

Malware providers deploy dropper applications that initially possess minimal functionality. Once victims install these applications, a full malware version is downloaded to avoid detection.

The report highlights the necessity of robust defense principles in an enterprise setting, such as restricting app installation sources to trusted platforms like Google Play or managing corporate devices via a mobile device management (MDM) platform.

These observations are concurrent with ThreatFabric’s revelation that malicious app creators have been exploiting an Android bug to present harmful apps as safe by “manipulating components of an app” such that the app remains valid, as reported by KrebsOnSecurity.

In June, Dutch cybersecurity firm ThreatFabric also noted, “Malevolent actors can have several apps simultaneously published in the store under various developer accounts, but only one is malicious, while the other is a reserve to be used after takedown.”

This strategy helps these actors maintain prolonged campaigns and minimizes the time needed to publish another dropper to continue the distribution campaign.

To safeguard against potential threats, it is advised that Android users rely on trusted sources for app downloads and activate Google Play Protect to get alerts when a potentially harmful app (PHA) is detected on their device.




Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon unintentionally dispatched purchase confirmation emails regarding, Google Play, and Mastercard ...
FBI Flags Escalating Trend of Paired Ransomware Threats

FBI Flags Escalating Trend of Paired Ransomware Threats

The U.S. Federal Bureau of Investigation (FBI) has issued an alert regarding a rising trend of dual ransomware ...
Unraveling the Mystery Behind Discord’s Recent Block Message

Unraveling the Mystery Behind Discord’s Recent Block Message

Users of the renowned communication tool Discord were taken aback today when they were greeted with an alarming ...
Best Phishing Tools for Ethical Hacking in 2023

Best Phishing Tools for Ethical Hacking in 2023

Phishing is one of the most prevalent cyber threats today, seeking to exploit human vulnerabilities rather than ...

Submit a Comment

Your email address will not be published. Required fields are marked *