Google Play Protect has been missing out on some apps which are somehow getting devices compromised. Antivirus software developers from ESET have discovered 8 malware laden apps in the Google Play store.
The security feature of Google Play Protect that is originally designed to block malware from being published in the store, somehow got defeated.
Multi-stage attacks are being utilized to circumvent from being detected. The app can contain any code and disguised in many shape or form. It may not contain malware code but it can be any infection that the developers desire. It is practically invisible and dangerous in nature.
ESET discovered these 8 malware-dropping apps using the same multi-stage design which avoids detection by not containing any malicious code. They have bits and pieces of encrypted payloads that eventually get the malware from from a website which is hard coded into the payloads. One step at a time, they eventually get to the point of installing Android/TrojanDropper.Agent.BKY on the device.
Upon installation, it does not request any suspicious looking permissions. All the nasty parts are done secretly in the background while the multi-stage payloads are decrypted and run one by one until it reaches the actual malware prompts for the user to accept the installation file in the form of a system update for Android, Adobe or Flash.
If at this point the user questions the install, the whole process can be stopped without further harm—multi-stage Android attacks are literally asking you to install malware.
If the install request is accepted the third payload decrypts and runs its contents: the actual malware.
Not just does the malware run on stages, it might be laced with something else. It can be malware, it can be fake banking, phishing attacks, anything you can think of.
The 8 malicious apps discovered by ESET dropped 8 convincingly looking fake bank login pages on the infected device. Pretty much alarming since it targets banking logins.
Multi-stage malware could be used to drop ransomware, keyloggers, rootkits—essentially anything that can be transmitted to a device.
A lot of security measures has been implemented by Google to prevent malware from being transferred via their Google Play platform. As of the moment, they are not ready yet to detect multi-stage payloads. For now, it is hard to trust anything due to the fact that there is no way to guarantee that the app is malware-free.
People cannot rely on Google Play’s Protection against these multi-stage attacks. Always read what the security and permission prompts request are about. Do not easily grant permissions to an app. If you are not familiar or feel it is suspicious, never allow permissions. Make sure it has an antivirus that can detect the multi-stage attack or malicious software running in the background. Do not install 3rd party apps outside of Google Play. Google Play Protect may not be perfect but at least they try their best to keep you safe compared to other websites and 3rd-party stores. Change the DNS settings on your Wi-Fi network, or Android device, to point at Quad9, a free DNS from IBM Security that filters out all known bad IP addresses. This can prevent a multi-stage attack from completing by blocking the site the app tries to download its third payload from.
Just be vigilant and pay attention to app permission requests and stick to downloading from reputable developers. Hopefully in the future, Google Play should be able to detect these threats and prevent them from being published in the first place.