Google Play has been spreading advanced Android malware for years

reader comments

32 with 28 posters participating, including story author

Hackers have been using Google Play for years to distribute an unusually advanced backdoor capable of stealing a wide range of sensitive data, researchers said on Tuesday.

Researchers from security firm Kaspersky Lab have recovered at least eight Google Play apps that date back to 2018, a Kaspersky Lab representative said, but based on archive searches and other methods, the researchers believe malicious apps from the same advanced group seeded Google’s official market since at least 2016.

Google removed recent versions of the malware shortly after the researchers from Kaspersky, and earlier fellow security firm Dr. Web, reported them. Apps from earlier were already removed, and it’s not clear what prompted the move. Third-party markets have also hosted the backdoored apps, and many of them remain available.

Command-and-control domains were registered as early as 2015, raising the possibility the operation goes back earlier than 2016. Code in the malware and command servers it connects to contain several overlaps with a known hacking group dubbed OceanLotus (aka APT32, APT-C-00, and SeaLotus), leading researchers to believe the apps are the work of that advanced group.

Repeatedly bypassing Google security checks

Attackers behind the campaign used several effective techniques to repeatedly bypass the vetting process Google uses in an attempt to keep malicious apps out of Play. One method was to initially submit a benign version of an app and add the backdoor only after the app was accepted. Another approach was to require few or even no permissions during installation and to later request

Continue reading – Article source