Advisory ID : ngCERT-2023-0034
Summary: Cyber threat actors are focusing their efforts on Android users through a technique referred to as "versioning." This involves evading the malware checks of the Google Play Store by introducing a clean version of the app during the initial security validation. Subsequently, after the app passes the initial checks and is made available on the Play Store, these actors later inject the app with malicious code through updates.
Threat Type(s): Malware
Damage/Probability: CRITICAL/HIGH
Description: The method of versioning operates through the mechanism of dynamic code loading. In this strategy, a threat actor sends an update to the app, integrating it with malicious code. This update originates from a server that the threat actor controls. Consequently, the app is transformed into a concealed entry point, allowing unauthorized access to the device. Noteworthy examples of such apps include "iRecorder - Screen Recorder" and “SharkBot,” which camouflage themselves as legitimate applications while concealing detrimental components within.
Further investigation revealed a pattern wherein threat actors maintain multiple apps on the Play Store, each tied to distinct developer accounts. Of these apps, only one is activated with its malicious code at any given time. In the event that this app is identified and removed, the threat actors proceed to activate another app from their arsenal. This maneuver ensures a continuous cycle of deceptive apps used for malicious purposes.
Consequences: The "versioning" technique in malicious Android apps, using dynamic code loading, can lead to severe consequences. These include unauthorized access, data theft, device compromise, malware spread, financial loss, privacy violations, reputation damage, resource exploitation, delayed detection, erosion of trust, regulatory implications, and increased security awareness.
Solution: The following precautions should be heeded to:
- Only utilizetrusted app sources like the Google Play Store.
- Enable Google Play Protect to receive alerts about potentially harmful apps.
- In enterprise settings, limit app sources and use mobile device management for added security.
- Exercise caution when downloading apps.
- Keep mobiledevices updated.
- Only Install reliable security software, and be mindful of the permissions requested by apps.
- Developers should follow secure coding practices, conduct regular security audits, and employ app vetting mechanisms to prevent malicious code injection
References:
https://thehackernews.com/2023/08/malicious-apps-use-sneaky-versioning.html
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf
https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-disguise/