Security experts often suggest it’s best to get mobile apps from official sources such as Google’s Play Store. That typically is good advice. Google screens every mobile app for malware using its Play Protect security suite:

“All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app developer in Google Play and suspend those who violate our policies.”

This process is not infallible. Lily Hay Newman in her Wired article How malware keeps sneaking past Google Play’s defenses writes that security firm Check Point recently discovered a new strain of Android malware (ExpensiveWall). From the Check Point blog post about ExpensiveWall:

“According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.”

SEE: Mobile device computing policy (Tech Pro Research)

How is that possible?

It is said the primary method malware gets into circulation is via ill-intentioned developers who create malicious apps. However, Peter Hannay, lecturer in digital forensics and cybersecurity at Edith Cowan University, believes having to produce a product, market it, gain a following, and then activate the malcode is too work intensive. “It is far more common for malware to be inserted into existing applications,” suggests Hannay in his article for The Conversation entitled Explainer: How malware gets inside your apps. “There are a number of different mechanisms by which criminals can achieve this.”

Hannay offers the following examples:

  • Application republishing: Cybercriminals download mobile apps they are targeting, infect them with malware, and then republish them in app stores–both official and third-party. “Attackers making use of this strategy may publish under the original app’s name or one that is slightly different,” writes Hannay. “An example of republishing malware is the MilkyDoor malware, which allows attackers to bypass firewalls.”
  • Malvertising: Third-party advertisers provide code packages to developers who then incorporate the software into their apps. Attackers somehow obtain one or more of the code packages, add malicious software, and reintroduce the advertising packages to unknowing customers. “An example of this is the Svpeng malware, which installs on Google AdSense ads,” explains Hannay. “Users do not have to click on the ad–opening a page and displaying the ad is enough.”
  • Infected development tools: Rather than directly infect the app, creative bad guys are turning app-development tools into weapons. Jim Finkle explains in this Reuters blog post, “Hackers embed malicious code in apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode.”

SEE: Reducing the risks of BYOD in the enterprise (PDF) (TechRepublic)

Hay Newman, in her Wired column, offers additional examples of how malware finds its way into mobile-app stores. Apps can be:

  • Set up to execute their malicious code on a time delay, only activating after the application has been accepted;
  • Packaged such that malicious components are encrypted and invisible to security checking mechanisms such as Play Protect; and
  • Constructed to download malicious software directly from attackers’ servers after the app has been tested.

What is the answer?

Wired’s Hay Newman asks Lukas Stefanko, a malware researcher at ESET, for his opinion on what people should do.

“We always advise users to spend extra time before installing apps to check app permissions and user comments, particularly focusing on negative ones. I also believe there is a need for another layer of security for users, such as a mobile security app, especially when so many harmful apps make it through Google security systems to the Play store.”

For those hoping to learn about new technology to stem the tide of mobile-app malware, there isn’t a silver bullet yet. “Unfortunately, there isn’t a single solution to these issues,” writes Hannay. He resorts to the same advice security pundits have been pushing:

  • Only install applications from reputable developers;
  • Pressure app marketplaces to improve malware-detection mechanisms; and
  • Pester operating-system developers to improve security.

Hannay then dashes even that glimmer of hope in his conclusion, “Nevertheless, malware authors will not be far behind in improving their strategies and devising new ways to compromise devices.”