Hackers are taking advantage of versioning techniques to bypass the Google Play store’s malware detection capabilities and target Android users.
This is information shared by The Hacker News in a threat report released in August 2023 from the Google Cybersecurity Action Group (GCAT). Accordingly, campaigns using versioning techniques will target user logins, data, and finances.
While versioning is not a new technique, it is stealthy and difficult to detect. Under this method, the developer will release the first version of the app on the Google Play store, which has passed the tests before being placed on the Google marketplace, but is then updated with toxic ingredients
Typically, updates are pushed from a server controlled by an attacker to deliver malicious code on a user’s device using dynamic code loading (DCL), effectively turning the app into a backdoor.
In early May, security firm ESET discovered iRecorder, a harmless screen recording app for almost a year after it was uploaded to the Google Play store, had malicious changes that tracked users. Another example of malware that uses DCL is SharkBot. This app has appeared on the Google Play store many times by masquerading as a security and utility app. SharkBot is a financial trojan that initiates unauthorized money transfers from devices using the Automated Transfer Service (ATS) protocol
There are also free apps on the Play Store with limited functionality that, when installed, download the full version of the malware, which generates less attention.
ThreatFabric says malware vendors have exploited a bug in Android that renders malware harmless by damaging components so that the entire app remains valid. The author of malware can have several apps published in the store at the same time under different developer accounts, however, only one acts as malware, while the other is a backup to use after taking it down
Such a tactic helps the hacker maintain a very long campaign, minimizing the time it takes to publish another app and continue the distribution campaign.
To minimize any risk, Android users are advised to use trusted sources to download apps and enable Google Play Protect to receive notifications when potentially harmful apps are found on their devices
