Why can't Google Play prevent Dubsmash porn clicking malware?

Researchers at cloud-based web security outfit Zscaler have reported that yet another malware infected version of the hugely popular Android video selfie app 'Dubsmash' has found its way into the Google Play Store.

Why can't Google Play prevent Dubsmash porn clicking malware?
Why can't Google Play prevent Dubsmash porn clicking malware?

The free app allows users to create selfie videos mashed up with music, and has been targeted by malware authors to act as a hidden 'porn clicker' app on numerous occasions over the last few weeks. The latest comes in the form of an app claiming to be 'Dubsmash V3', containing the same malware family, and has already been removed by Google. 

The app deletes its own icon after it has been run and the user quits the application, but then continues to run as a hidden background process where it will be loading web pages and clicking on advertising in order to generate revenue for the people behind it. The latest iteration of the malware app was downloaded around 5,000 times before Google spotted it. This begs the question: why can't Google deal effectively with such a malicious app which is using the same malware family variants and uploading them with similar application names under different developer accounts? It's hardly the act of a criminal mastermind, yet it seems to be having quite some success.

Deepen Desai, a security expert at Zscaler and one of the researchers on the  ThreatLabz team which identified the latest variant of the malware, told SCMagazineUK.com that he is "not sure of the exact weakness in the Google Play Store's vetting process that these malware authors are exploiting here" but the fact that these apps are not stealing any sensitive information from the infected device and are purely engaged in click fraud activity "may be the reason why Google has not been able to flag it." 

Desai also told us that the authors of this malware have "moved away from hard-coded porn URLs inside the APK and instead they are dynamically retrieving them from a remote location at run time" so while the content of the remote location may be completely innocuous at the time of the app vetting process it can be changed by the malware authors once the app has been approved and posted.

We asked Fabian Libeau, technical director (EMEA) at RiskIQ, if there was anything else special about this particular porn clicker which might account for it being so persistent? 

"The main focus of this malware is about monetising on adverts, in this case porn ads" he said "as the clicks are coming from all these different devices they won't be seen as click fraud and it won't be detected so easily." Libeau also pointed out that it's a pretty good example of how this area of cyber-crime is commoditising. "It is not just the big bad breach which swipes information in an overt attack that's the only focus for cyber criminals but also stealing small amounts here and there" Libeau told SC . "This is certainly a trend we are seeing and which will increase dramatically."

But none of the above really gets to the fundamentals of just why Google appears to be having such a hard time dealing with the Dubsmash porn clicker variants in particular. It's almost as if the company has adopted a chase your own tail methodology where it waits for the author to upload yet another variant using yet another developer account and then takes it down as soon as possible. Which isn't soon enough to prevent users from being infected, of course. Surely there has to be a better way for Google to deal with a malicious developer using multiple accounts and multiple malware variants?

Wim Remes, the strategic services manager (EMEA) for Rapid7, and something of an industry stalwart, points out that hosting an application store actually isn't as easy as it seems.

Page 1 of 2