A security researcher who goes by the name “Dr. Web” has been tracking a suspicious increase in Trojan infiltration emanating from the Google Play Store.

It is not currently known whether a single organized and determined group of hackers is responsible for the surge or if several groups just happen to be focused on the Play Store at around the same time.

Although a variety of malware strains have been spotted embedded in poisoned versions of apps on the Play Store the focus has been on highly popular apps with 500,000 installs or more.  In addition to that, there’s a new Android Trojan disguised as a WhatsApp mod.

Other than ‘apps with lots of installs,’ there doesn’t seem to be a clear pattern.  Several poisoned apps were cryptocurrency management tools, Gasprom investment clones, photo editors, and the like.

Broadly speaking at least where investment-oriented apps are concerned, the gimmick was to get an unsuspecting user to create a new account and then deposit money into it which would be siphoned off later.  In cases of other types of apps, invariably there would be a request made to sign up for expensive subscription services.

The good news is that at this time this piece was written, most of the poisoned apps have been removed from the Play Store.  Unfortunately, there are still a few holdouts.  For example, the app called “Top Navigation” is known to be poisoned but at the time of this writing is still available on the Play Store. Even Worse is it boasts more than half a million installations.

Since Google has been busily chasing down and removing the poisoned apps, the group behind this latest campaign has been setting their sights a bit lower. They now seem to be poisoning apps like Advice Photo Power with around  100,000 installations.

The bottom line is that while the Play Store is still mostly safe it’s not a completely safe source for malware-free apps so stay on your guard.

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*