A malware-laced app was found lurking on Google Play for a year

• The malicious app downloads a trojan that poses as an Adobe Flash Update, from an unknown source.
• At the time of discovery, the malicious app had been installed over 5,000 times from the Google Play Store.

A malware-laced Android application was found lurking on Google Play for almost a year. During this time, the malicious app was available for download by all Google Play users. The malware was hidden in an app named “Simple Call Recorder”, published by the FreshApps Group.

At the time of discovery, the malicious app had been installed over 5,000 times from the Google Play Store. The main goal of the malicious app was to trick users into installing an additional app, which posed as an Adobe Flash Player Update.

The malware-laced app was first discovered by ESET malware researcher Lukas Stefanko. Fortunately, the malicious app was taken down from the Google Play Store after Stefanko reported about it.

“Simple Call Recorder lasted on the Google Play almost for a year, which is really a long time before being removed, if we consider that the app contained flashplayer_update.apk string inside,” Stefanko said in his blog.

Exploit method

According to Stefanko, the malicious functionality of the app was not built along with the call-recorder app. Instead, it was added by an attacker to trick users to install an additional app, by hiding behind a legitimate functionality.

Stefanko also speculated that the attacker could have found the legitimate code for the call-recorder app on an alternative source and stolen it to implement his own malicious code and upload it on Google Play.

Attack vector

Once the call-recorder app is installed and launched on a device, it decrypts an additional binary file and then dynamically loads it into the application. This kind of behavior is commonly found among many other Android malware variants in recent times, said Stefanko.

The malicious Flash Player is downloaded via Adobe servers. However, Google Play’s policy prohibits apps or SDK’s that download executable code, such as dex files or native code, from a source other than Google Play. The malware’s ability to bypass Google’s security measures makes the threat much more worrisome.

Further functions of the malicious app are currently unknown because Stefanko was unable to retrieve it through the link hardcoded into the APK. “It is likely that the app has already been removed from the server after being available for download for over 11 months,” added Stefanko.

A recent report from Google advises users to stick to Google Play apps and run as recent a version of Android as possible to reduce the risk of ending up attacked. The report stressed that Android devices that only download applications from Google Play are nine times less likely to end up with malware. Unfortunately, however, the apps like Simple Call Recorder still continue to slip through Google’s security loopholes.