Google Play app with 100 million downloads executed secret payloads
The sad, impractical truth about Android app security in 2019.
The perils of Google Play are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.
Throughout most of its life, CamScanner was a legitimate app that provided useful functions for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.
Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what’s known as a “Trojan dropper,” meaning it regularly downloaded encrypted code from a developer-designated server at https://abc.abcdserver[.]com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever the developers wanted at any time. The researchers said that they have previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that are preinstalled on some phones sold in China.
“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” a separate post from Kaspersky Lab explained. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”
The incident underscores the challenge Android users face when looking for useful apps. Google scanners are unable to catch everything, particularly when developers sneak malicious or unethical code into apps that have already passed initial inspections. The result: there’s no easy way to be sure an app is safe. This reality is disappointing, because Google has made real strides in securing more recent versions of Android.
One way to vet apps is to read reviews left by other users. Kaspersky Lab researchers said that negative feedback left over the past month “indicated the presence of unwanted features” in CamScanner. And of course, people should always scrutinize the permissions an app requires. Access to the microphone, camera, contacts, location data, or the phone app can often be telltale signs something is wrong, but not always. Often apps need this access for legitimate reasons. CamScanner, for instance, would obviously need access to the camera to work as advertised. Seeking out apps from known developers, when possible, can often be helpful.
Ultimately, the best strategy is to install only the apps that are truly useful and to uninstall apps that haven’t been used in a while. The practicality and effectiveness of this guidance is by no means ideal, but that’s unfortunately the current state of security for Android apps.