Why Android users must remain vigilant about malicious apps

Byron Acohido 6 May 2019

Byron Acohido sits down with with Nikolaos Chrysaidos, head of Mobile Threat Intelligence & Security at Avast Threat Labs

Android users – and I’m one – are well-advised to be constantly vigilant about the types of cyberthreats directed, at any given time, at the world’s most popular mobile device operating system.

Attacks won’t relent anytime soon, and awareness will help you avoid becoming a victim. It’s well worth it to stay abreast of news about defensive actions Google is forced to take to protect Android users. Just recently, for instance, the search giant removed 50 malicious apps, installed 30 million times, from the official Google Play Store, including fitness, photo-editing, and gaming apps.

And earlier this year, three popular “selfie beauty apps”– Pro Selfie Beauty Camera, Selfie Beauty Camera Pro and Pretty Beauty Camera 2019 – accessible in Google Play Store were revealed to actually be tools to spread adware and spyware. Each app had at least 500,000 installs, with Pretty Beauty Camera 2019 logging over 1 million installs, mainly by Android users in India.

Instructive details about both of these malicious campaigns come from malware analysts working on apklab.io, which officially launched in February. Apklab.io is Avast’s mobile threat intelligence platform designed to share intelligence gathered by analyzing samples collected from 145 million Android mobile devices in use worldwide.

Nikos-1I had the chance to sit down with Nikolaos Chrysaidos (pictured), head of mobile threat intelligence and security at Avast, to drill down on the wider context of the helpful findings apklabl.io has begun delivering. Here are excerpts of our discussion, edited for clarity and length:

Acohido: What was distinctive about the 50 malicious Android apps your analysts recently discovered?

Chrysaidos: The installations ranged from 5,000 to 5 million installs, and included adware that persistently displayed full screen ads, and in some cases, tried to convince the user to install further apps. The adware applications were linked together by the use of third-party Android libraries, which bypass the background service restrictions present in newer Android versions.

The bypassing itself is not explicitly forbidden on Play Store. However, our analysts were able to detect it because apps using these libraries waste the user’s battery and make the device slower. In this instance, the libraries kept displaying more and more ads, which does violate the Google Play Store rules.

Acohido:  Can you share more about the tainted “selfie beauty apps?”     

Chrysaidos: The apps claim to modify the appearance of the people in the selfies. However, they’re primarily adware delivery vehicles designed to aggressively display ads and install spyware. Adware are unwanted ads that redirect you to sketchy webpages, and spyware collects your data.  

Much of this activity is monetized, one way or another, through a billion dollar ecosystem of click fraud, essentially fooling advertisers into paying for clicks that do little or nothing. The people behind the app profit from the ads shown to users. For each ad displayed, the bad actors make money from advertisers.

Acohido:  What were some of the advanced features your analysts discovered?

Chrysaidos: The apps are difficult for users to remove since their icons are often hidden from the Android launcher screen, making it impossible to use the “drag and drop” function to delete the app by dragging it into the trash bin. This makes it difficult for users to delete the app so that the bad actors can show more ads and make more money.

The apps check for the following launchers: Apex, HTC Sense, 360 Launcher, QQ Launcher, Huawei, OPPO, LG, Samsung and a few more. Upon finding one of these launchers, it uninstalls its own app icon.

In addition to displaying ads, the apps are also capable of making phone calls, recording phone conversations, changing the network state, drawing over other apps, reading the device’s external storage, and more.

Acohido: How did you actually gather this helpful intelligence?

Chrysaidos: We collect file samples from our partners, mobile AV clients, as well as third parties and feed the samples into apklab.io, our mobile threat intelligence platform. We automatically classify and categorize every strain of malware. If a sample is found to be suspicious, we then process it using a custom-built static analysis tool and a dynamic analysis sandbox.

Our goal is to detect and eradicate mobile threats. The malware samples we isolate live forever in the aklab.io database to help solve future iterations of malware. Currently we have almost 6.5 million samples in our database.

Acohido:  How have mobile threats shifted in recent years?

Chrysaidos: In addition to evolving adware and spyware, bad actors in previous years tried to monetize through locking the mobile device, and then scaring the user into paying a ransom to unlock it – that kind of malware is called ransomware. Ransomware evolved into cryptomining, in which the device is stealthily used to participate in the mining of cryptocurrencies, with the coins delivered to the threat actor. This happened as most of the cryptocurrencies increased in value.

Alongside the cryptominers and ransomware, threat actors tested and evolved one more category of malware: banking trojans. Banking malware focuses on stealing bank credentials and credit card data from mobile device users. Banking trojans evolved a lot over the past year, borrowing techniques from cryptomining and ransomware to bring in the new era of hybrid mobile malware.

Acohido:  How do you expect mobile threats to evolve over the next year or two?

Chrysaidos: Actors will continue trying to penetrate Google Play Store and upload their malware. Banking malware will still continue trending, as it’s a very good path for monetization by the bad actors.

Watch Gagan Singh, Avast senior vice president and general manager of Mobile,  discuss how mobile banking trojans work, below:



--> -->