Google has removed 13 apps from the Google Play Store reported as malicious by security researchers. These apps made unauthorized downloads and attempted to do certain tasks if the attacked device was found rooted.
This recent discovery was done by researchers at Lookout, a cybersecurity which mainly focuses on protecting individuals and enterprises from mobile attacks and help fight cyber criminals with the help of their research to squash mobile software vulnerability.
In October 2015, researchers at Lookout discovered several apps slowly coming live on Google Play Store which looked suspicious and had a similar activity on the installed device as to the earlier detected malware popularly known as 'Brain Test'.
Brain Test was a malware first detected on Nexus 5 which do a number of things without the users consent. The malware was sophisticated and well designed to release a certain task every few hours and run in background without the user noticing its existence and action. The malware also would check for rooted device, if not then it would download some files and keep trying to root it until it would root the device. Once rooted, the malware would copy itself to the system directory and silently download APKs which it used to do more device wide tasks, like installing a app without user's consent or display their own ads everywhere in the device. This also enabled the malware to silently reinstall itself even if the user removes the app from the device. Checkpoint reported their findings to Google and in September 2015 Google removed the malware from the Play Store but not until it had received more than 500,000 downloads.
Lookout found similar behaviour in their recent findings. In the next two months to follow they monitored the suspicious apps and to their surprise these apps were raking hundreds of thousands of downloads and getting four star average review score. Just around Christmas one of the suspicious game called ' Cake Tower' received an update which turned on the similar functionality as the Brain Test malware and a new command and control server which made them sure about their suspicion. On 29th December this was reported to Google and all these 13 suspicious apps were removed from Play Store immediately. These apps collectively raked more than 1.5 million downloads.
All these apps looked and functioned very well, many were the addictive games which made people download them. But by using the Brain Test malware these apps were capable of leaving positive reviews and rate other malicious apps in play store without the user's consent. This tremendously helped the download figures.
Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors. This helps increase the download figures in the Play Store. Specifically, it attempts to detect if a device is rooted, and if so, copies several files to the /system partition in an effort to ensure persistence, even after a complete factory reset.
REMOVAL
Removing them isn't an easy task now. A simple factory reset won't help i.e. using the 'Factory Reset' option from the Settings application on an Android device is not going to remove these apps. A Factory reset will not clear the system partition. The only option to remove this malware is to re-flash a ROM supplied by device's manufacturer. Every device manufacturer has different way of doing that. So please check your device manufacturer for the proper steps on flashing a factory ROM. The most important thing to do before re-flashing your ROM is to backup everything from your device to restore it later.
These apps primarily originate from China and could be called app farms which could be selling guaranteed applications installs to developers. In order to facilitate the installs, they rely on compromising a large number of devices and then pushing the installs to those devices.
This begs the question how secure is Android and how seriously Google is taking Play Store security. It is commendable that Google immediately took action and removed the malicious app as soon as it was reported but it also is a question how did these malicious apps passed the Play Store Security scanner and stayed there for months.
Even though Google Play Store is safe and filtered from most malicious apps and such malware ridden apps but people should remain cautious of what they download from play store, deciding to download based on the reviews and star rating is not going to help nor can guarantee they those apps are worth trusting.