The Google Cloud security team has admitted that criminal actors frequently utilize a technique known as versioning to sneak malware onto Android devices, bypassing the Google Play Store’s review process and security measures.
Malicious payloads can be introduced through updates to previously installed apps or through dynamic code loading (DCL), in which malicious code is loaded from servers under the control of threat actors.
Bypassing the static analysis checks performed by the app store, the threat actors can distribute their payloads as native, Dalvik, or JavaScript code on Android devices.
According to Google’s annual report on security threats, “one way malicious actors attempt to circumvent Google Play’s security controls is through versioning.”
“Versioning occurs when a developer releases an initial version of an app on the Google Play Store that appears legitimate and passes our checks, but later receives an update from a third-party server changing the code on the end-user device that enables malicious activity.”
Google claims that all Play Store apps and updates undergo thorough PHA (Potentially Harmful Application) screening, however “some of those controls” are avoided when using DCL.
Versioning (DCL) allows users to circumvent Play Store’s security restrictions. According to Google, such apps are in violation of the Google Play Deceptive Behavior policy and may be considered backdoors.
Apps distributed through Google Play are prohibited from using any method other than the official update mechanism provided by Google Play to modify, substitute, or update themselves.
The official Android App Store also has a stringent policy against apps obtaining executable code (such as dex, JAR, or.so files) from external sources.
In addition, Google brought to light a specific strain of malware known as SharkBot that employs this method and was initially discovered by Cleafy’s Threat Intelligence Team in October 2021.
Once installed on an Android device, the banking virus known as SharkBot will use the Automated Transfer Service (ATS) protocol to send and receive funds without authorization.
The threat actors behind SharkBot have taken the typical practice of distributing stripped-down versions of their apps on Google Play to avoid detection by Play Store systems.
When a user installs a trojanized program, it actually installs the whole malware package.
Sharkbot has infected thousands of users through apps that made it past Google’s submission checks for dangerous activity by disguising themselves as Android antivirus software and various system services.
Another method of obfuscation used by mobile malware was recently revealed by security researchers at ThreatFabric, and cybersecurity reporter Brian Krebs brought it to light.
By using this technique, malicious Android application packages (APKs) cannot be scanned by Google’s app analysis tools. Therefore, these malicious APKs can still install on users’ smartphones despite being flagged as invalid.