Security researchers have discovered a malicious app that not only targets Android users with unsolicited ads but also downloads and installs scores of online shopping apps on the device and leaves fake reviews on behalf of the user, all whilst hiding from the device owner.
In a report published by global cybersecurity and anti-virus brand Kaspersky Labs earlier this month, security researchers said they came across a malicious Trojan malware-laced app on the Google Play Store called Trojan-Dropper.AndroidOS.Shopper.a.
How does it operate?
The “Shopper” app tricks users into downloading it by disguising itself with a system icon and a ConfigAPKs name that bears a striking resemblance to the name of a legitimate Android application. Once it’s installed on to an Android device, the malware gets to work, starting with harvesting device information such as country, network type, vendor, smartphone model, email address, IMEI, and IMSI.
The collected data is then relayed to the attackers’ command-and-control servers which will send respond with a series of commands to be run on the targeted smartphone or tablet. The operators’ then mobilize the Shopper.a Trojan to boost the ratings of other malicious apps on the Play Store and post fake reviews on behalf of the victims such as “very easy to use” and “love this app.”
The malicious app also starts downloading apps from a third-party app marketplace and installs them on the device without the knowledge of the user. These include popular apps like Alibaba, Shein, MakeMyTrip, Hotstar, and others.
Master of Disguise
All this is done without the knowledge of the user using the app’s “invisible window” by abusing the Accessibility Service, a known tactic used by Android malware to perform malicious activities without the consent or permission of the user.
“The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through Accessibility Service,” Kaspersky Lab researcher Igor Golovin explained. “With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures.”
The malware also disables the Google Play Protect mobile threat protection service, Google’s built-in Android malware protection, so that it can go about its business without a hitch.
What can the “Shopper” malware do?
Depending on what commands it receives from its control center, the malicious Shopper.a can perform one or more of the following tasks:
- Open links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network).
- After a certain number of screen unlocks, hides itself from the apps menu.
- Check the availability of Accessibility Service rights and, if not granted, periodically issue a phishing request to the user to provide them.
- Disable Google Play Protect.
- Create shortcuts to advertised sites in the apps menu.
- Download apps from the third-party “market” Apkpure.com and install them.
- Open advertised apps on Google Play and “click” to install them.
- Replace shortcuts to installed apps with shortcuts to advertised sites.
- Post fake reviews supposedly from the Google Play user.
- Show ads when the screen is unlocked.
- Register users through their Google or Facebook accounts in several apps.
How to identify fake or malicious apps on Google Play Store?
- When searching for an app on the Play Store, you might come across one or more apps with a similar name. One of the ways to identify fraudulent apps is by looking out for spelling mistakes in in the app’s name and description before downloading the app.
- While checking the app’s description page for more information, keep an eye out for tags like “Editor’s Choice” or “Top Developer” as these apps are less likely to be malicious in nature or fake. You can also visit the publisher website to be extra careful before downloading it.
- When downloading popular apps like WhatsApp, Facebook, PUBG Mobile, and more, the number of downloads will definitely be higher and usually in the millions. However, if an app has a downloads count of about 5,000 or less, chances of it being a fake app are higher.
- Lastly, and most importantly, look at the permissions that the app is asking for. For example, if you’ve downloaded a third-party messaging app, it will request permission to access your contacts and maybe storage for backup. However, if it asks for permission to use your camera or microphone, it means something’s fishy.
|