Security

New Google Play Store malware highlights disturbing trend of multi-stage Android attacks

Malicious Android apps keep slipping by Play Protect because they don't contain the malware they use to compromise devices. Instead, they leverage a familiar method that's new to mobile attacks.

Antivirus software maker ESET has discovered eight more malware-laden apps in the Google Play store.

This is the latest in a string of malware in the official Android app store that seems to be continuing unabated despite the introduction of Google Play Protect, which is meant to block malware from being published in the store.

What the latest string of attacks have in common is that they all bypassed Google Play Protect the same way, by using a multi-stage attack. Multi-stage malware could be disguised as anything, doesn't contain any actual malware code, and could be responsible for any kind of infection its developers desire.

In short, it's dangerous and invisible.

The invisibility of multi-stage attacks

All eight of the malware-dropping apps that ESET discovered were of the same multi-stage design that avoid arousing suspicion by not containing any malicious code.

What they do contain are several layers of encrypted payloads that eventually download malware from a website hardcoded into the payloads. In the case of the latest discovery, the eventual goal is to install Android/TrojanDropper.Agent.BKY on the compromised device.

When the app is initially installed from Google Play it doesn't even request any suspicious looking permissions. All its nefarious work is done invisibly in the background as it decrypts and runs its first payload, which in turn decrypts and runs the second one.

SEE: New Android malware found every 10 seconds, report says (TechRepublic)

The second-stage payload reaches out to the malware-hosting website and downloads the third-stage payload. It's at this point that the malware prompts the user to accept an installation of what seems to be a benign update—either to Flash Player, something Adobe related, or even an Android system update.

If at this point the user questions the install, the whole process can be stopped without further harm—multi-stage Android attacks are literally asking you to install malware.

If the install request is accepted the third payload decrypts and runs its contents: the actual malware.

A sign of things to come?

All eight of the malicious apps ESET discovered dropped a banking trojan that displayed fake login pages on infected devices, but that's just one example of how multi-stage attacks could put Android users, and most everyone else, at risk.

Multi-stage malware could be used to drop ransomware, keyloggers, rootkits—essentially anything that can be transmitted to a device.

SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)

Google Play Protect is designed to stop malware from getting to Android users, but recent attacks have made it obvious that it's not designed to detect multi-stage payloads. Until Google finds a way to detect those apps, users are taking a risk installing anything that doesn't come from a well known, reputable developer.

That said, your Android device's protection against multi-stage attacks, since you can't rely on Google Play Protect to do it, can be enhanced in the following ways:

  • Always read the permissions requests from an app, and don't grant them if they look suspicious. Never give permissions to an app that you don't recognize.
  • Install an antivirus app on your device to ensure a multi-stage attack app isn't downloading malicious software in the background.
  • Never install apps from outside Google Play. Play Protect may not be perfect, but it's still keeping your device safer than third-party stores or websites can.
  • Change the DNS settings on your Wi-Fi network, or Android device, to point at Quad9, a free DNS from IBM Security that filters out all known bad IP addresses. This can prevent a multi-stage attack from completing by blocking the site the app tries to download its third payload from.

The top three takeaways for TechRepublic readers:

  1. Antivirus software maker ESET discovered eight new malware apps hiding in Google Play. They bypassed Play Protect by being multi-stage attack apps that download malicious payloads from the web.
  2. Multi-stage malware pulls its actual attack from the internet and requires the user's permission to install. These attacks generally masquerade as Adobe or Android system updates.
  3. Google Play Protect isn't catching multi-stage attacks—this is just the latest of many. Protect your device by installing antivirus software, paying attention to app permission requests, and only downloading apps from known, trustworthy developers.
mobile-malware.jpg
Image: iStock/CarmenMurillo


Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox