Malicious Android apps slip into Google Play, top third party charts

Enlist phones in ad fraud, premium SMS, loser DDoS

Malicious Android applications have bypassed Google's Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets.

The apps are legitimate games that in some stores outside of Google Play have made it to highly-contested top free games charts.

Checkpoint malware men Andrey Polkovnichenko and Oren Koriat say the malware family they dubbed Viking Horde, thanks to the chief offending game Viking Jump, varies depending on the capabilities of the infected phone.

"Perhaps the most dangerous functionality is the update mechanism [which] allows downloading and executing any remote code on the device," the pair say.

"The botnet created by the attackers spread worldwide to users from various targeted countries."

A series of sought permissions has lead to user suspicion and subsequent low-ranking on the Google Play store.

The apps will ask for admin rights and root permissions on rooted devices which, if granted, will grant the malware persistence and make it difficult to remove.

Malicious components are installed (either internally or on an SD card) while the game boots. From there, a link to a command and control server is established where information about the infected phone is sent, and attackers can return commands.

attack flow

Attack flow. Credit Checkpoint.

Most phones are used in fraudulent advertisement clicks generating revenue for the attackers.

Devices running the modern Marshmallow or Lollipop Android operating systems will need to grant the app a series of individual permissions making compromise more difficult.

Users of rooted phones will also need to grant the malware explicit root rights, a request which is highly uncommon for benign games.

Older Android Kitkat devices, which run on 32 per cent of all devices compared to the most popular Android version, Lollipop, on 35 per cent, are much more susceptible to compromise thanks to a weaker permission system that is prone to mindless user approval.

This may go some way to explain the malware's success in Russia where 44 per cent of infections are traced. Statistics show Android is installed on most devices in that country, but none of the Android versions in isolation is as popular as Apple's iOS version 9.2. ®

Biting the hand that feeds IT © 1998–2020