Google Play is hit by multi-stage malware

multi-stage malware.jpeg

A total of eight legitimate-looking apps have been discovered on Google Play that perform multiple steps of malicious activity. Fortunately, the eight apps have been removed from the store and only received a few hundred downloads apiece. 

These malware apps utilize a multi-step architecture and encryption so their true identities remain hidden. Once they are downloaded the apps will not request any unusual or confidential information. In fact, they will perform exactly how the users would expect them to. 

The first step of this multi-step process is decrypting and executing its payload. This results in the second step payload being stored in the assets of the initial app downloaded from Google Play. Both of these are completely hidden to the user.

The second step also carries a hardcoded URL which will download another malicious app by prompting the user to do so. This new malicious app will be disguised as a popular software known as Adobe Flash Player or will be named something that sounds legitimate such as "Google Update." 

The fourth and final step, payload, is a mobile banking trojan. It will present the user with a fake login form in attempt to steal credit card details or any other valuable information. 

How You Can Stay Protected

Unfortunately these malicious apps have the ability to sneak into Google Play and other official app stores. The best way to avoid this is to be aware when downloading an unfamiliar app. Check app ratings, comments, reviews, and run a quality security solution on your mobile device.