Malicious Apps and How to Find Them

Maybe you've heard the advice "don't download any app on your phone" before. It's a piece of strong advice when it comes to mobile devices security.

Malicious apps are at this time the most common threats to mobile users.

And other mobile device security efforts such as locking your phone are of no use if you directly give criminals access to your data through installing malicious apps.

In this post, I'll focus more on malicious apps on Android because the incidents are higher in number for Android users than for iOS owners. This doesn't mean malicious apps don't make their way in the iOS App Store from time to time. But because of the closed system, apps are more drastically inspected before reaching the market, resulting in less such incidents.


How safe is the Google Play Store?

Google Play Store is continuously raising concerns about security when it comes to the apps that are available to download on the platform. In the course of this year, there have been a lot of incidents reported about malicious apps, some of which managing to affect millions of users.

The open nature of the platform makes it harder for Google to effectively filter all the apps that are uploaded. Google is actively trying to improve the filtering system and to fix these issues, the efficiently of detecting and removing malicious apps increasing every year, but cybercriminals seem to be one step ahead. Malicious code can be hidden behind encryption walls, which makes detecting malware even harder.

To quote Andrew Ahn:

"Despite our enhanced and added layers of defense against bad apps, we know bad actors will continue to try to evade our systems by changing their tactics and cloaking bad behaviors. We will continue to enhance our capabilities to counter such adversarial behavior, and work relentlessly to provide our users with a secure and safe app store."

Considering the ongoing incidents, users must be aware of what can hide behind an apparently innocent app and learn to look at all apps with a grain of salt before taking their security for granted.


Malicious apps evolution

According to Kaspersky Lab data, 2018 was the year of the most and strongest attacks, including attacks on bank accounts through mobile devices, apps that spy on victims and apps that damage victims' devices. 2018 has seen 116.5 million attacks using malicious apps, two times more attacks than in 2017 when there were only 66.4 million. Kaspersky Lab protected almost 10 million unique users of Android devices in 2018, compared to 774.000 in 2017. Most attacks occurred using the following techniques.

Trojans droppers - Over the past years, Trojan droppers was the first choice for cybercriminals to deploy attacks. They are designed to bypass detection, hiding the malicious code. Even though these types of malware have been around for some time, in 2018 the number of incidents increased significantly, especially with banking Trojans.

Adware - This type of malicious apps were in the top 3 by the number of installation packages in 2018. They are so popular because they are a safer way for cybercriminals to make money because these attacks don't cause damage to victims' devices. But even if the device is not directly damaged, it might become impossible to use due to it being flooded by dozens of ads. It's also tricky to detect which app causes the device to display ads because they appear outside the malicious app interface.

Mobile miner Trojans - This technique is used for cryptocurrency mining, and it's easier to deploy these days because mobile devices are everywhere, they are easy to infect, and the advanced graphic processors facilitate the job. Even though they are not yet the most common types of attacks, with the rising of using cryptocurrencies, they are a real threat that should be addressed.

Over the years, malicious apps have been constantly evolving both because technology allows for more sophisticated malware modification and because there are more and more ways in which cybercriminals can steal sensitive information and money through mobile devices.


Malicious apps incidents

Let's take a look over the most important malicious apps incidents that happened recently.

Security apps are not all secure

When you think of a security app for your device, you are most often inclined to trust that it will protect your device from malware. The reality is, lots of security, spyware, and antivirus products are containing malicious code and will infect your device themselves instead of keeping you safe.

One of the first examples of such a product was Virus Shield. The app, which was available on Google Play Store, claimed to scan users' devices for malware and over 30.000 users had paid for it. This app didn't contain malicious code, but it did nothing at all. It only changed its icon when tapped on so it would look like it was scanning the device, but it didn't contain any code to do anything else. This was an incident that made security experts analyze other security apps more closely from then on.

AV-Comparatives tested over 200 antimalware apps from Google Play Store in 2018. From the tested apps, only 84 of them detected over 30% of malicious apps. 79 of apps detected less than 30% of malware, which makes them inefficient and highly risky for mobile devices.

Malicious lifestyle apps with millions of installs

One of the most common categories for malicious apps is the lifestyle category. Lots of malicious lifestyle apps keep popping up and they end up by having millions of installs.

Avast discovered 50 adware apps on Google Play Store in April 2019 each of them having between 5k and 5 million downloads. These apps display persistent full-screen ads each time the device is unlocked or at every 15 minutes, even to convince users to click or to download further apps. Most of these malicious apps are photo editing tools, music, and fitness apps.

Another example are other 29 malicious apps with a total download count of 10 million, reported by Quick Heal Security Labs in September 2019. 24 of these apps are from HiddAd category, which means that the apps hide their icon, creating a shortcut on the home screen, so that users are not able to uninstall the app by just dragging the icon. Most of them are photography apps.

Google removes these apps from the Play Store when they are reported by security experts, but new ones keep on making their way to the store.

The "Agent Smith" malware

A research from 2019 found out that a set of malicious apps from a campaign called Agent Smith have been installed on 25 million Android devices. Most of them were games and the malicious code hidden behind them was able to copy popular mobile apps, replacing them with infected versions. The malware was well hidden from users because the apps were still working properly. Even though it might've not seemed like a significant problem because they only hijacked apps to display unwanted ads to users, these security flaws can allow cybercriminals to also hijack shopping, banking, and other private apps.

The "Clicker trojan"

Clicker trojans are designed to earn money from online traffic and increase website visits. In August 2019, Doctor Web reported such a malware on Google Play Store, hidden behind common apps such as online maps, barcode scanners, music players, and so on. Upon installation, these apps send information about the infected device to the C&C server including the operating system, device's manufacturer and model, user-agent ID, mobile carrier, timezone, and more. The server then sends the necessary settings based on this information. This type of trojan is able to advertise apps on Google Play, load websites and ads, and even automatically subscribe users to paid services without requiring confirmation from the users. 34 such malicious apps were found, over 101 million devices being infected by these malicious apps.

Joker malware

Another type of malware hidden behind malicious apps is known as Joker. It is designed to sign up users for premium subscription services without their knowledge. These 24 apps target specific European and Asian countries, have over 470.000 installs, and the campaign seems to has started in June 2019. You can find a list of the apps and the countries they target here.

Because of such malicious apps, it's important you review the permissions you allow to apps upon installation. With most of the apps, you can clearly see from the beginning they are going to access information on your device they shouldn't need access to.

Keeping a close eye on your bank statement is also important to prevent being charged for services without your knowledge.


Checking for malicious apps on your phone

In an attempt to reduce the number of malicious apps users install on their devices, Google launched Play Protect in 2017. It runs in the background, checking the apps from the Play Store before you download them. It also runs periodically scans for your device.

Google Play Protect is enabled by default for all users. To check if it is enabled on your device:

Open the Play Store > Tap the hamburger button in the top left corner > Tap on Play Protect

From here, you can see when the apps on your device were last scanned and you have the option to scan your device on demand.

Before you download an app

When you tap to install an app from the Google Play Store, check to see if you can see the Play Protect badge underneath the progress status. If this badge displays, it means the app has been verified by Google Play Protect and it is safe to use at that time.

When you update an app

Just because the app was safe when you first installed it, it doesn't mean a cybercriminal isn't able to add malicious files to it later. Make sure you also check if the available updates are safe.

Open the Play Store > Tap on the hamburger button in the upper left corner > My apps & games

Under the Updates section, you'll see a list of all the apps that have pending updates and, at the top of the page, Google will reassure you those updates are safe to install.

If you are installing apps on your device outside of the Play Store, make sure you allow Google Play protect to also scan those apps for malicious files.

Open the Play Store > Tap the hamburger button in the top left corner > Tap on Play Protect > Tap on Settings > Enable "Improve harmful app detection"

Another good rule to stay away from malicious apps is to always check the ratings and comments of the apps before you go and install them. If there's something wrong with the app, other users will usually talk about it.

Fast, secure, no logs VPN software from DrSoft

Fastest, highly secure and anonymous VPN software