Malicious entities are exploiting a tactic known as versioning to bypass Google Play Store’s malware detection and compromise Android devices.

In its August 2023 Threat Horizons Report, the Google Cybersecurity Action Team (GCAT) stated, “Campaigns employing versioning typically aim at users’ data, credentials, and financial resources.”

Although versioning is not novel, its subtlety and evasiveness make it a formidable technique. It involves a developer launching an initial, harmless version of an app in the Play Store, which passes Google’s pre-release checks, only to update it later with a malicious component.

The process involves dynamic code loading (DCL) to serve malicious code from an attacker-controlled server onto the user’s device, effectively transforming the app into a backdoor.

In May this year, ESET uncovered a covert operation with a screen recording app called “iRecorder – Screen Recorder.” The app remained benign for almost a year after its Play Store upload, after which harmful changes were surreptitiously introduced to spy on users.

Also Read: Unraveling the Adversarial Threats to ChatGPT and Beyond

The infamous SharkBot is another instance of malware that uses DCL. Frequently appearing on the Play Store under the guise of security and utility apps, SharkBot is a financial trojan that carries out unauthorized money transfers from infiltrated devices using the Automated Transfer Service (ATS) protocol.

Malware providers deploy dropper applications that initially possess minimal functionality. Once victims install these applications, a full malware version is downloaded to avoid detection.

The report highlights the necessity of robust defense principles in an enterprise setting, such as restricting app installation sources to trusted platforms like Google Play or managing corporate devices via a mobile device management (MDM) platform.

These observations are concurrent with ThreatFabric’s revelation that malicious app creators have been exploiting an Android bug to present harmful apps as safe by “manipulating components of an app” such that the app remains valid, as reported by KrebsOnSecurity.

In June, Dutch cybersecurity firm ThreatFabric also noted, “Malevolent actors can have several apps simultaneously published in the store under various developer accounts, but only one is malicious, while the other is a reserve to be used after takedown.”

This strategy helps these actors maintain prolonged campaigns and minimizes the time needed to publish another dropper to continue the distribution campaign.

To safeguard against potential threats, it is advised that Android users rely on trusted sources for app downloads and activate Google Play Protect to get alerts when a potentially harmful app (PHA) is detected on their device.