Two separate malicious apps loaded with spyware were found lurking in the Google Play store, loaded with zero-click spyware leading back to China.
Together, both applications tracked to the same developer, affected an estimated 1.5 million users, according to a new security alert from Pradeo. Google removed the apps within hours of being notified, the researchers add.
Spyware Apps Relied on Elevated Permissions
Most malicious apps rely on the victim to actually use it to successfully deliver malware, but these relied on permissions instead, according to Pradeo.
“Often, users install applications they end up not even using,” the security alert said. “For most malware, that means the attack is unsuccessful. To overcome that obstacle, File Manager and File Recovery and Data Recovery can, through the advanced permissions they use, induce the restart of the device. This then permits the apps to launch and execute themselves automatically at restart.”
Pradeo researcher Roxane Suau explained to Dark Reading that in addition to file manager applications, junk cleaner apps are also often spoofed for malicious purposes because of the elevated permissions required for them to perform their tasks.
Beyond sneaky permissions, the spyware apps misrepresented the amount of data collected, which raises flags about the security controls on applications available in the Google Play store, according to Melissa Bischoping, director at endpoint security research at Tanium.
BYOD Policies Increase Risk
“Users are often encouraged to place trust in the data privacy and safety reports on an app‘s page in the store, and this kind of deception undermines trust in all apps, not just the ones analyzed in the Pradeo reporting,” Bischoping says. “There are over 3.5 million apps in the store, so it would be a herculean effort to perform deep-dive analysis of how each app complies with its stated privacy and security practices. That said, this type of glaring inaccuracy demonstrates a need for tighter vetting and control over what is published.”
The damage these malicious applications can do to enterprises increases dramatically with bring your own device (BYOD) policies in the mix, Bischoping points out.
“A ‘bring your own device’ policy often results in unmanageability of mobile devices for large organizations,” she explains. “Because of this, you cannot control what apps an employee may install or how much access they grant those apps. It’s important to weigh the risk/reward of allowing mobile access to corporate data from personal devices.”
Enterprise-owned devices should have controls in place to restrict these applications from being downloaded, Mike Parkin, senior technical engineer with Vulcan Cyber, tells Dark Reading.
“With enterprise-owned devices, they should be doing this already,” Parkin says. “If they own the device, they have every right to restrict what goes onto it.”
For organizations with BYOD policies, imposing restrictions on downloading apps is more difficult, Parkin adds, since the user owns the device and may balk at restrictions. “Though it would be appropriate for them to publish their expectations and, when necessary, block infected devices from accessing enterprise assets.”
While malicious applications are hardly anything new, John Gallagher, vice president at Viakoo Labs, hopes incidents like these two spyware apps discovered in the Google Play Store will encourage enterprise security teams to take a look at their own policies.
“The ability of an application to have its download numbers inflated, to have more permissions than it needs, and for it to violate personal information policies and laws, are all existing attack vectors,” Gallagher says. “These newly discovered threats may push more organizations to screen company-provided devices for such apps, or to monitor their network traffic to detect issues.”