May 01, 2023Ravie LakshmananMobile Security / Android

Google disclosed that its improved security features and app review processes helped it block 1.43 million bad apps from being published to the Play Store in 2022.

In addition, the company said it banned 173,000 bad accounts and fended off over $2 billion in fraudulent and abusive transactions through developer-facing features like Voided Purchases API, Obfuscated Account ID, and Play Integrity API.

The addition of identity verification methods such as phone number and email address to join Google Play contributed to a reduction in accounts used to publish apps that go against its policies, Google pointed out.

The search behemoth further said it “prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years.”

“In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs,” it noted.

In contrast, Google blocked 1.2 million policy-violating apps from being published and banned 190,000 bad accounts in 2021.

The development comes weeks after Google enacted a new data deletion policy that requires app developers to offer a “readily discoverable option” to users from both within an app and outside of it.

Despite these efforts from Google, cybercriminals are continuing to find ways around the app storefront’s security protections and publish malicious and adware apps.

Case in point, McAfee’s Mobile Research Team discovered 38 games masquerading as Minecraft and which have been installed by no less than 35 million users worldwide, primarily located in the U.S., Canada, South Korea, and Brazil.

These gaming apps, while offering the promised functionality, have been found to incorporate the HiddenAds malware to stealthily load ads in the background to generate illicit revenue for its operators.

Some of the most downloaded apps are as follows –

• Block Box Master Diamond (com.good.robo.game.builder.craft.block)
• Craft Sword Mini Fun (com.craft.world.fairy.fun.everyday.block)
• Block Box Skyland Sword (com.skyland.pet.realm.block.rain.craft)
• Craft Monster Crazy Sword (com.skyland.fun.block.game.monster.craft)
• Block Pro Forrest Diamond (com.monster.craft.block.fun.robo.fairy)

“One of the most accessible content for young people using mobile devices is games,” McAfee said. “Malware authors are also aware of this and try to hide their malicious features inside games.”

Complicating the problem is the surge in Android banking malware that can be weaponized by threat actors to gain access to victim devices and harvest personal information.

Another emerging trend is the use of binding services to trojanize legitimate applications and conceal a rogue APK payload. This technique has been adopted by bad actors to distribute an Android botnet dubbed DAAM, Cyble said.

The malware, once installed, establishes connections with a remote server to perform a wide range of nefarious actions, including acting as ransomware by encrypting files stored in the devices using a password retrieved from the server.

DAAM also abuses Android’s accessibility services to monitor users’ activity, thereby allowing it to log keystrokes, record VoIP calls from instant messaging apps, collect browser history, call logs, photos, screenshots, and SMS messages, run arbitrary code, and open phishing URLs.

“Malware authors often leverage genuine applications to distribute malicious code to avoid suspicion,” the cybersecurity firm said in an analysis published last month.

The findings also follow an advisory from CloudSEK, which discovered that several popular Android applications like Canva, LinkedIn, Strava, Telegram, and WhatsApp do not invalidate or revalidate session cookies after app data is transferred from one device to another.

While this attack scenario requires an adversary to have physical access to a target’s phone, it could allow for account takeover and gain unauthorized access to confidential data.

To mitigate such threats, it’s advised to enable two-factor authentication (2FA) to add an extra layer of account protection, scrutinize app permissions, secure devices with a password, and avoid leaving them unattended in public places.