Google Play Infected With data-stealing Android malware

Google play has been infected with a data-stealing Android Malware Affecting over users in 196 countries 


More than 100,000 people downloaded apps distributing MobSTSPY malware, which also able to attack and steal account credentials from victims.

Powerful Android malware capable of accessing your user location, communications logs, and stealing files and account credentials has been downloaded by at least 100,000 users around the world after successfully infiltrating the Google Play app store.

Several applications uploaded to Google Play with the intention of distributing MobSTSPY malware have been detected by researchers at Trend Micro. The malware-laden apps include games -- most prominently, a malicious version of Flappy Bird and a clone featuring a dog called Flappy Birr Dog --- as well as more general-purpose applications including a Flashlight and emulators.

It's possible that the apps were initially uploaded to the Store without active malicious code, only for the infrastructure for conducting attacks to be added at a later date. This could have been months later, after the apps had been downloaded by large numbers of users.

"Usually Google enforce more stringent checks for new apps, but as updates are made to the app over time and they are proven not to be malicious from the offset, the level of checking may be reduced," Bharat Mistry, Principal Security Strategist at Trend Micro

"Once the app has gained some credibility and has a good distribution of users, the app developer will then issue an update which enables the malicious features"



A number of malicious activities can be conducted, depending on the commands issued by the attackers. These include stealing SMS messages, contact lists and a variety of files, such as screenshots, audio recordings, and WhatsApp data, App logins

In addition to directly stealing files from the compromised Android device, MobSTSPY can gather additional credentials by conducting phishing attacks. The malware displays fake pop-ups from popular websites like Facebook and Google, Mobile Banking Apps asking the user to login to their account. The fake pop-up tells the user their login wasn't successful and disappears, having achieved its goal of stealing their username and password.

Ultimately victims of the malware can have large amounts of their personal data stolen by attackers, putting their privacy at risk and leaving them open to additional attacks -- especially if the information is exchanged on underground marketplaces. Before you know it, you're empty.

According to researchers, the malware has been widely distributed, with victims in 196 countries worldwide, ranging from the United States, across Europe and the Middle East and all the way to East Asia And Africa. However, almost a third of victims are in India, which could point to clues about the whereabouts of the attackers.

"Looking at the countries affected the most, it looks like the cybercriminals are operating in and around the Indian subcontinent. They are more than just 'script kiddies', but aren't as advanced or adventurous as nation states trying to see what they can get away with," said Mistry.

All of the malicious apps -- Flappy Birr Dog, Flappy Bird, FlashLight, HZPermis Pro Arabe, Win7imulatorand Win7Launcher -- have now been removed from Google Play. If you have any of this App, I recommend you uninstall it

When asked how the company is looking to ensure malware doesn't infiltrate its official store, a Google spokesperson made it clear that "They remove applications that violate our policies, such as apps that are illegal."

For now, the apps can no longer be downloaded,  but hundreds of thousands of users may still unwittingly be infected. Trend Micro has published Indicators of Compromise to help identify the malicious apps, and users are told to remove the apps as soon as possible.

Post a Comment

0 Comments