Google can't hold back this malware running riot in its Play store
Ad fraud, scareware slinger Android.Spy.277.origin found in more than 100 apps
Security researchers have discovered a strain of Android malware that keeps finding its way onto Google Play – despite the store supposedly being scrubbed clean of infiltrated apps.
The software nasty – Android.Spy.277.origin – is hidden in more than 100 applications on Google Play. Sketchy programs harboring the malware masquerade as legitimate popular games and the like, but they come with a secret backdoor.
Once the infected app is installed, the attacker can remotely download a malicious APK called "polacin.io" to the device. After the victim is tricked into allowing the code to be installed, the Android device sends a wide array of information about the hardware to command and control servers, plus the user's email address and location.
Hackers make money from the malicious app through ad click fraud and by pushing mobile scareware. Users are induced into installing fraudulent apps by saying the device has battery issues that can be solved by downloading utilities which, in reality, have little or no use.
Even after Google removed samples of the dodgy software from Google Play, Check Point's Mobile Threat Prevention research team found an additional app, called Street Stick Battle, containing the same malicious payload. The rogue app has notched up between one million and five million downloads.
The incident provides further evidence that users can't strictly trust official app stores to stay protected. Malware can infiltrate these stores on multiple instances even after initial detection. El Reg asked Google to comment on the incident but we've yet to hear back.
More details about the return of the Google Play scam – complete with screenshots and more technical information – can be found in a blog post by Check Point's Oren Koriat here. ®