Dozens of Apps Still Dodging Google’s Vetting System
Bitdefender researchers recently analyzed 25 apps that made
it into Google Play, at least for a time, packing aggressive adware SDKs that
bombarded users with ads and avoided removal by hiding their presence.
Cumulatively, the apps were apparently downloaded almost 700,000 times by
Google Play users.
While Google has gone to great lengths to ban malicious or
potentially unwanted applications from the official Android app store, malware
developers are nothing if not imaginative when coming up with new ideas to
dodge Google Play Protect.
Some of the key techniques found for dodging security
vetting revolve around using open source utility libraries (used by Evernote,
Twitter, Dropbox, etc.) to run jobs in the background, using different developer
names to submit identical code, and even hiding code that is triggered remotely
by command & control servers.
Key techniques found for dodging security vetting:
- Main logic is encrypted and loaded dynamically
- Check that system time is at least 18 hours
after a specific time using a hardcoded numerical value for the time (not a
time object), then it starts hiding its presence - Use an open source utility library (used by
Evernote, Twitter, Dropbox, etc.) to run jobs in the background - Longer display time between ads (up to 350
minutes) - Adware SDK, written in Kotlin, with debug
symbols present and lack of obfuscation, possibly mimicking clean SDKs - Use different developers to submit identical
code base - Hiding code that is triggered remotely by server
config or command, no more used timers - Uploading an initially clean application and
then adding a malicious update
For a more detailed technical analysis, please check out the technical paper below:
Dozens of Apps Still Dodging Google’s Vetting System
*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Liviu Arsene. Read the original post at: https://labs.bitdefender.com/2019/10/dozens-of-apps-still-dodging-googles-vetting-system/