Sneaky malware downloader found in apps on Google Play

Google has removed from Google Play eight apps that have served as downloaders for Android banking malware.

The malware

The packages – a mixture of Android cleaners and news app – looked pretty legitimate: they did not ask for any suspicious permissions, and mimicked the activity the user expected them to exhibit.

What the users could not see is that, in the background, they decrypted and executed a first stage payload, which then decrypted and executed a second-stage payload (stored in the assets of the initial app downloaded from Google Play), which then decrypted and executed a third-stage payload (a fake, malicious app) from a hardcoded URL.

Then there is a pause of 5 minutes, and the malicious app – “Adobe Update,” “Android Update,” or “Adobe Flash Player” – makes its move and asks the user to install it.

These permissions should be suspicious, as they will allow it – once a final, fourth payload is decrypted and executed – to perform malicious actions.

“In all the cases we investigated, the final payload was a mobile banking trojan. Once installed, it behaves like a typical malicious app of this kind: it may present the user with fake login forms to steal credentials or credit card details,” says ESET researcher Lukas Stefanko.

“One of the malicious apps downloads its final payload using the bit.ly URL shortener. Thanks to this, we were able to obtain download stats: as of November 14, 2017, the link had been used almost 3000 times with the vast majority of hits coming from the Netherlands.”

You’ve fallen for the trick, now what?

Users who have downloaded one of these apps must first deactivate admin rights for the (final) installed payload, and only then will they be able to uninstall them.

To do so, first go to:

• Settings > (General) > Security > Device administrators and search for Adobe Flash Player, Adobe Update or Android Update and deactivate the rights for them, then go to
• Settings > (General) > Application manager/App, search for those fake apps, and uninstall them. Finally, go to
• Settings > (General) > Application manager/Apps, search for the original malicious app (go here for the list and names of the malicious Android application packages) and uninstall it.

It’s also a good idea to check you device with a mobile malware solution, and to change all credentials that the final payload might have compromised (online banking credentials, credit card information, usernames and passwords for email accounts, online payment accounts, etc.).