“Downloading apps from Google Play is a safer proposition than doing it from third party markets, but despite Google using an automated app scanning service (“Bouncer“) to spot malicious apps, it still does not guarantee that you won’t download one.
Case in point: BatteryBot Pro is a legitimate app that monitors and shows your battery charge level, and in order to do that it asks just a few permissions.
Unfortunately, scammers have reverse-engineered the app’s code, embedded into it malicious modules, and have been offering it for download on Google Play. Unlike the legitimate app, which costs some 180 rupees (a little less than $3), the malicious version is offered for free.
Zscaler’s researchers have analyzed the spoofed BatteryBot Pro app, and discovered that it asks considerably more permissions than the legitimate app, and among them is the permission to send SMS, access the Internet, get account details, process outgoing calls, download additional software packages without notifying the user, and so on.
It also demands administrative access to the device:
If that access is granted, the malicious actors behind this scheme effectively obtain full control of and access to the victim’s device.
So, what does the spoofed app do? As the original, legitimate app, it shows the device’s battery charge level. But, in the background, it tries to load various ad libraries to perpetrate click fraud campaigns, collects information about the device (IMEI, memory available, location, etc.), and displays ads to the victim.
In addition to this, it secretly downloads and installs additional malicious APKs, and sends text messages to premium rate SMS numbers.
Google has been notified of this, and has already removed the app from the store. But those unfortunate users who have downloaded it could be saddled with it for quite some time.
“Being run with administrator privileges, the user cannot delete the app after installation,” the researchers noted. “While in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence.
“The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted. This acts as a service and sends requests to hard-coded URLs found in the app,” they explained. “The service started by this app continually sends requests to the URLs, some of which will deliver new APKs.””