Malware hiding Android apps return to Google Play after a simple name change

A red Android mascot

Researchers have discovered a set of malicious apps on the Google Play Store that are reappearing after being removed by simply changing their names.

Malware identified as Android.Reputation.1, a Trojan first encountered in 2014, has been found in new iterations of at least seven apps on the Play Store after Google was previously alerted to them.

These new apps, featuring under a different publisher, carry the same code but are listed under an altered name, according to researchers from security company Symantec. The apps offer an array of features including emoji keyboard add-ons, calculators, call recorders, and storage space cleaners.

"The Google Play app store has a reputation as the safest place online to get Android apps," wrote Symantec's Martin Zhang, principle software engineer, and Shaun Aimoto, technical product owner, in a blogpost, adding: "And Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.

"We've encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed."

The apps, once installed, take measures to stay on the device, disappear and wipe their tracks, including waiting for hours before launching malicious activity to avoid arousing suspicion and requesting admin privileges - using the Google Play icon when doing so to feign legitimacy.

The apps also retain the ability to change the launcher icon and their "running apps" icon in the system settings once installed, again using well-known icons such as Google Play or Google Maps to avoid suspicion, as well as pushing content such as ads or scams to the device.

Earlier this month Symantec discovered 38 malicious apps carrying the Android.Reputation.1 Trojan on the Play Store disguised as game and education apps - hiding their existence from users by removing their icons from the home screen.

The company previously discovered a set of eight apps hiding a "highly prevalent" type of malware, dubbed Android.Sockbot, in late 2017, which operated by adding compromised devices into a botnet to potentially perform DDoS attacks. The apps boasted an install base of between 600,000 and 2.6 million devices.

"Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behaviour," Symantec's post continued.

The researchers provided the standard recommendations for users to avoid falling foul to sophisticated malware such as this, including keeping software up-to-date, avoiding downloading apps from unfamiliar sites, only installing apps from trusted publishers, reviewing permission requests, and installing a mobile security app.

IT Pro contacted Symantec and Google but neither were able to comment at the time of writing.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.