Google has fought for years to prevent malicious applications from sneaking into the Play Store. However, a new round of shutdowns highlights the challenge of getting the problem under control. At the beginning of March, Google removed 56 applications that appeared harmless but were loaded with adware. They have been downloaded more than a million times.
While more than half of the apps claimed to be harmless utilities like calculators, translation tools, or cooking apps – common adware smugglers – 24 were targeted specifically at children. These eye-catching offerings such as puzzles and racing games are a particularly harmful way for attackers to transfer malware to devices with more victims. Check Point researchers have shared information about the apps with Google to investigate how hackers hide and spread malware on Google Play. And today they publish details about the adware.
"Because parents tend to give their devices to their children to play with, it is an important attack vector to lure children to install malicious applications to reach adult devices," said Aviran Hazum, manager of mobile research at Check point. "Most children have no understanding of checking applications."
Adware has been a long-standing threat to mobile devices, but attackers have become particularly aggressive in spreading over the past few months. The threat detection company Malwarebytes found in an annual study that adware was "top priority" in 2019 as the most common threat on Android devices, Macs and Windows PCs. Earlier this month, the anti-virus company Avast published results that adware accounted for 72 percent of all Android malware between October and December last year. And beyond Android, every platform seems to be messed up to reduce risk to users. For example, Microsoft announced at the end of February that its edge browser should search for and block adware downloads by default.
The adware in the faulty apps was specially developed to undermine the "MotionEvent" mechanism of Android. App developers use it to recognize movements such as typing and multi-finger gestures and collect information about them, such as B. their coordinates on the screen in two and three-dimensional space. MotionEvent helps apps interpret these user inputs accordingly. The adware called Check Point Tekya manipulated these inputs to simulate user typing.
Researchers observed how Tekya generated false clicks to generate revenue from advertising networks like Facebook, Unity, AppLovin & # 39; and Google's AdMob. Adware manipulates the ad ecosystem to make money for hackers by making it appear as if an army of users has viewed and interacted with ads. Many of the 56 Check Point-infected applications identified were not only benign-looking utilities, but also clones of legitimate applications designed to confuse users and increase the likelihood of them accidentally downloading the malicious version – like a fake Stickman game and versions of Hexa Puzzle and Jewel Block Puzzle. The group also included a malicious PDF reader and Burning Man app.
Tekya hides its abusive functionality in a basic layer of applications. This part of software packages known as "native code" is known to be difficult to check for malicious components.
Google confirmed to WIRED that the apps were removed earlier this month. The company has worked hard to curb the influx of malicious applications into Google Play. It has done extensive coordinated shutdowns and developed advanced detection tools to catch more lemons during the review process in the Play Store. The company even used outside help in the war against malicious apps.
However, with more than 3 million apps on Google Play and hundreds of new submissions a day, it’s still a challenge for Google to recognize everything. As long as it is relatively easy for fraudsters to create and distribute malicious apps, they will continue to come.
More great WIRED stories