Malicious apps that have breached Google's defences and made it onto the Play store have netted 1.2 million victims, often hijacking phones to place fraudulent clicks on pornography sites.
ESET researcher Peter Stancik says his team found some 343 malicious Android applications that were uploaded to the official Google Play store since August.
Around 10 of the malicious apps are being created and successfully uploaded to Google Play each week, evading the ad giant's code-checking defence mechanisms. Each app has been downloaded an average of 3600 times.
“In one of the largest malware campaigns on the Google Play Store yet, criminals continue to upload further variants of these malicious apps to the official app store for the Android mobile platform,” Stancik says.
“These porn clickers not only made it into the store, but they also successfully compromised user devices.
“After installation, they generate fake clicks on advertisements to generate revenue for their operators, robbing advertisers and harming advertising platforms.”
Victims may find large data usage bills but have not yet been subject to data theft, the researchers say. However, previous Android malware instances have pivoted from basic fraudulent advertising to plunder bank credentials and steal data from existing victim bases.
ESET researcher Lukáš Štefanko says the attacks are a “true campaign” as opposed to disparate attacks because the malicious apps come from a single family.
He says attackers have “the upper hand” despite Google's efforts to take-down the apps.
The team fired a salvo at Google’s ‘verify apps’ security setting in the latest Android, pointing out that it flags only malicious apps that have been previously banned from the Play Store.
“They should probably apply more filters that actually execute the malicious code hidden in the fake app [and use] clustering [for] similar fake applications,” Štefanko says, noting that Google has not revealed how its Bouncer app-filtering tool works. ®