An Android app booby-trapped with malware was recently taken down from Google Play — after being available for download for almost a year.
The trojan was discovered by ESET malware researcher Lukas Stefanko, wrapped into an app called the Simple Call Recorder. The main purpose of the malware was to trick the user into installing an additional app, which purported to be an Adobe Flash Player Update.
“Simple Call Recorder lasted on the Google Play almost for a year, which is really a long time before being removed, if we consider that the app contained flashplayer_update.apk string inside,” said Stefanko in a Monday post.
Google Play’s policy prohibits apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play. This could indicate malicious intent: “From my experience, if an Android application mimics or downloads Flash Player– in this case not even from Adobe servers – it is a warning signal for users, because the app is most likely to be malicious,” he said.
Simple Call Recorder, published by the “FreshApps Group,” was first uploaded to Google Play on Nov. 30, 2017. According to AppBrain, the application has had 5,000 installs since then.
The app has since been removed.
Google did not respond to a request for comment on this specific incident – and how it could prevent other similar incidents from happening – from Threatpost.
The Malware
In addition to call-recording functionality, the app contains malicious code responsible for downloading and installing additional apps.
Stefanko said that this functionality is not an integral part of the call-recorder app, but has instead been added by an attacker as a way to prompt users to install an additional app that impersonates the Flash Player update.
He speculated that an attacker found the app on an alternative source – or even open-source code on GitHub – and then stole the call-recording functionality, and was able to implement the malicious code and uploaded it on the Google Play store.
After it is installed and launched, the app decrypted an additional binary file (carried in “assets”) and dynamically loaded the file, said Stefanko.
The action is worrying because first of all, it’s a behavior typical for most Android threats these days, said the researcher. Second of all, the Flash Player being mimicked is not even downloaded from Adobe servers.
However, Stefanko said that he was not able to retrieve said app through the link hard-coded into the APK: “It is likely that the app has already been removed from the server after being available for download for over 11 months,” he wrote. “At the time of writing, the attacker’s server was still up but his registered domain will soon expire unless extended.”
Ironically, just last week Google released new data charting its plans to reduce malicious apps in the Google Play ecosystem. The report stressed that Android devices that only download apps from Google Play are nine times less likely to end up with malware.
And, “Since 2017, we’ve reduced [the number of devices infected with PHAs] by expanding the auto-disable feature,” Jason Woloz and Eugene Liderman of the Android Security & Privacy Team, said in the post. That auto-disable feature flags potential malware and requires user action to continue the installation.
However, incidents like Simple Call Recorder and other apps continue to slip through the cracks. Earlier this year, Google removed 22 malicious adware apps ranging from flashlights to call recorders, that were together downloaded up to 7.5 million times in total from the Google Play marketplace. And, in June, it was discovered that a battery-saving app also allowed attackers to snatch text messages and read sensitive log data.