Security researchers have unearthed more than two hundred malicious mobile apps that enjoyed over 250 million downloads globally and were used by their creators to spread adware and to steal sensitive data from devices in which they were installed.
One such campaign, code-named SimBad by researchers at Check Point, involved cyber-criminals registering 210 malicious apps on the Google Play Store by disguising them as simulator gaming apps and then using these apps to run a large number of advertisements on infected devices outside of the apps, slowing down devices and making it extremely difficult for Android users to uninstall them.
After carrying out an exhaustive analysis of the malicious apps, Check Point noted that the 210 apps, which were downloaded over 147 million times, ran ads on infected devices even when users were not running such apps. A victim of such an app would see unwanted adverts when unlocking their phone or even when using other apps.
These apps would also open the Google Play Store or 9Apps Store randomly to lure the user into downloading other malicious apps, open mobile web browsers with links provided by the app developer so that the developer could target users with spear-phishing messages, download APK files and ask users to install them, and even download malware stealthily after bypassing permission requirements on Android devices.
Researchers at Check Point also noticed another data harvesting campaign that involved hackers using a dozen mobile apps on major third-party Chinese app stores to steal data from infected devices. These data harvesting apps contained a data-scraping Software Development Kit (SDK) called SWAnalytics and could be downloaded by unsuspecting Android device users from well-known third-party app stores such as Tencent MyApp, Wandoujia, Huawei App Store, and Xiaomi App Store.
Because of their presence in popular third party app stores, these twelve apps were downloaded 111 million times by Chinese users. Once a user installed any of these apps and launched it or rebooted their phone, SWAnalytics would silently upload their entire contacts list to Hangzhou Shun Wang Technologies controlled servers, thereby compromising data privacy of hundreds of millions of users or of, as Check Point estimated, roughly a third of China’s entire population.
According to Check Point, these twelve malicious apps did not collect data at all from Meitu Phone devices and only targeted devices that ran Marshmallow and later versions of the Android operating system.
The researchers noted that both campaigns are classic examples of supply chain attacks that involve attackers leveraging trusted third party vendors to deliver malware to unsuspecting customers by inserting malware into third-party code. This way, attackers take advantage of the fact that many organisations trust built-in security in third-party code as well as the tendency of DevOps teams to rush applications into the market without the necessary security checks.
Considering that the Google Play Store, despite Google's constant efforts in the recent past, is regularly leveraged by malicious actors to deliver malware and data-stealing apps to end users, the security of end users ultimately rest on how aware they are of such threats and how they choose to secure their data from malicious actors.
When asked how end users can prevent the loss of data to malicious apps lurking on official app stores, Boris Cipot, senior security engineer at Synopsys, told SC Magazine UK that the best way to be sure is to not download any unknown apps or apps from unknown providers - at least not immediately.
"Firstly, you need to at least try to see if the apps have real usage, if they have been rated and if the provider of the apps is trustworthy. On the other hand, it is possible that those things can be faked with data cyber-criminals have bought from the Dark Web.
"Using an anti-malware software, that (can) also rate apps and check if the installed app has unusual behaviour or uses functionality that should not be there; its a sensible idea," he added.