The Google Play store was found to have hosted Android malware disguised as legitimate applications, which have been downloaded over 620,000 times since 2022. The malicious apps were disguised as photo-editing apps, camera editors and smartphone wallpaper packs, and infected 11 legitimate applications before being taken down. Once downloaded, the malware executes a payload from the app asset, which sends the infected device's mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user. The Trojan targeted Thai-speaking users, with the majority of the reviewers being from Thailand. This is not the first time Google Play has been used to spread malware, as threat actors have used it in the past to distribute banking Trojans.

Security Officer Comments:
Attacks targeting mobile devices that come preloaded with stores such as Google Play and Apple's "App Store" to download programs are becoming increasingly common. As we become more dependent on devices that make life more convenient or efficient in corporate environments, typical cybercriminals, as well as advanced APT groups, will find new and innovative ways to infect the devices we know and love. Some believe that it should be the responsibility of the store to vet applications before they become available for download. However, this has proven to be a daunting task as there are so many requests for applications to be uploaded to them on a daily basis, making the screening process ineffective. It may also be unfeasible to scan every single application and its code for malicious content. With attacks targeting mobile devices on the rise, user education and mobile device security have become increasingly important.

Suggested Corrections:
Firstly, users should be educated about the risks associated with downloading apps from untrusted sources and encouraged to only use reputable app stores and developers. Secondly, automated security controls such as sandboxing and code signing can be implemented by app store operators to detect and prevent malicious apps. Thirdly, a manual review process can be implemented where human reviewers check the apps for malicious behavior. Fourthly, user feedback and ratings can be used to help detect and remove malicious apps. Finally, app store operators can implement multi-factor authentication to prevent unauthorized access to developer accounts and reduce the likelihood of malicious apps being uploaded to the store.

Link:
https://www.bankinfosecurity.com/fleckpe-trojan-infects-620k-devices-via-google-play-a-22007