Malicious Apps Get Back on the Play Store Just by Changing Their Name

Malicious Android apps that have been previously reported to Google are showing up again on company's marquee Play Store with new names, security researchers are reporting. BleepingComputer: Seven of these apps have been "rediscovered," said Symantec in a report published yesterday. The company's experts say the author of the original malicious apps didn't do anything special, but only changed the app's names, without making modifications to the code, and re-uploaded the apps on the Play Store from a new developer account under a new name. Symantec says it detected seven of these re-uploaded apps on the Play Store, which it re-reported to Google's security team and had them taken down again.

Google can't be bothered?

[Grand Facade]

To vet the software it makes available?

Re:Google can't be bothered?

[110010001000]

Vetting content would destroy their profit margins and require effort.

Re:

[arth1]

A butthurt RAT has been impersonating me for MONTHS and it's PISSING me off. It's infuriating to see an anonymous UNIDENTIFIABLE TROLL pretending to be me on a daily basis and it needs to STOP.

I don't see any impersonation here. Anonymous Coward posts anonymously.

Anyhow, if you don't like seeing that, can't you just block her with an adblocker that allows blocking a div element of class commentBody that contains both bold tags and "APK"?

Re:

[TheFakeTimCook]

To vet the software it makes available?

That's the REAL joke: They say they already DO that.

Oh No! they banned us

[Revek]

I guess we should just quit and go home. Or we could just try again.

Re:

[ausekilis]

If adding exclamations and numbers work for changing passwords, why wouldn't it work for apps?

Seems Google doesn't check anything but your email

[postbigbang]

If there is an actual vetting process, it's a joke. So much for diligence, trustworthiness, and looking out for the security of their Android users, who dominate worldwide consumers of their "product".

Re:

[Zocalo]

They failed at an even simpler level than that. They could have just kept checksums of the code objects in known malicious apps and automatically removed any other apps that match that checksum, either already in the store or on upload, just like even the most basic antivirus software tech was doing over two decades ago. Or perhaps they simply just didn't expect that malware coders would be equally lazy/clueless and not bother to include some random salt or other obfuscation in their files to mess up atte

Re:

[Psion]

That's ridiculously easy to spoof. Just add a few lines of orphaned code that does nothing to change the app's function and it will have a totally different checksum.

Re:Seems Google doesn't check anything but your em

[Zocalo]

Of course it's ridiculously easy to spoof - I even said how you'd do it in my post - and that's my point; Google are apparently not even doing the kind of basic checks that early AV software was doing in the late 1990's, let alone the kind of modern heuristical scanning that current AV tools use, which is what I'd have expected them to be doing. It's well known in security circles that most malware writers re-use a lot of common code libraries and other "kits" from the darknet and other forums that they then modify to suit, so that Google hasn't successfully automated that kind of scanning on app submission to their own store beggars belief, especially given the number of well regarded security experts they have on thier payroll.

Re:

[swillden]

They failed at an even simpler level than that. They could have just kept checksums of the code objects in known malicious apps and automatically removed any other apps that match that checksum

Since the name is part of the package contents, changing the name will change the checksum. For that matter, just re-signing the package (even with the same key, much less a different key) will change the checksum. Your very simple countermeasure couldn't actually work at the package level. It might work at a lower level, disassembling the package and storing checksums of individual .class, etc. files, but the naive approach would produce a lot of false positives, because Android apps (including malicious

Re:

[HiThere]

A definite point. But you could do checksums of random sections of the code. You'd get false positives, that you'd need to screen out, of course, and even a few false negatives, if blocks of code got switched during compilation or linking, and your checksum straddled a block boundary. The larger a block of code you checked, the fewer false positives you would get, but the more false negatives. So you pick a medium to small block of code, and scan several blocks per submission. You'd still need to chec

Re:

[swillden]

if you got the sizes right you should do a pretty fair job that would have very few false negatives. and not too many false positives.

Maybe, maybe not. You're making a lot of guesses -- which isn't bad unless you start assuming that your guesses are guaranteed to be right. In fact that's pretty much how this space works; people guess at what might work, evaluate the data, then try it if it looks promising. it's entirely possible that something like this was tried and found not to work as well as you're guessing it would. I know the people on the malware scanning team and they're very good. I know this example looks bad, but the problem is

Re:

[HiThere]

Actually, I think the real problem would be that the right block sizes would require too much computing. But you're right, it would take a LOT of testing. And it's quite possible that there's no "one size fits all" right block size.

How is this possible?

[110010001000]

With AI available, how is it possible that a multi-billion dollar system is fooled by changing a string in the app name? Doesn't the AI detect that? The humans did. Very puzzling.

Re:

[Khyber]

The A in AI does stand for 'artificial' and not 'accurate.'

Re:

[Dutch Gun]

I'm thinking the 'I' should stand for 'Inflated' as well.

In Soviet Russia

[dryriver]

YOU are the malicious app in the "Play Store". But more seriously - if you are smart enough to create an Android App, why bother with hacking/phishing/scamming at all? Build something useful and sell it as every other decent programmer would. Make money honorably. A lot of the malware, malicious apps, hacking tools and similar originates in Eastern Europe and Russia these days. And its all built by decently smart people who can actually program a computer. So the question one more time: If you are smart enough to scam, aren't you smart enough to create something legit and make your money that way? Without ruining somebody else's life or breaking all sorts of laws in the process? But it seems that the computing culture in EE/RU is all about doing what should not be done. The internet is one great big see of credit cards, bank accounts, social security numbers, gullible consumers to these people. The sad thing is that they are ruining the region's future in legit software as well. If some smart people in Russia someday made a great OS that can compete with Windows or Linux, would anybody in their right mind actually use it? Would you install a Russian OS on even a single computer in your company? THAT is what these people are doing to their future. Even if a decade from now the culture changes and they start building legit stuff, nobody is going to use it. Because it came from Eastern Europe and Russia.

Re:

[Anonymous Coward]

You are confusing 3 different things. 1) Being able to make an app 2) Coming up with an app idea that is popular 3) Monetizing your idea. They are all totally different problems.

This Is Why You Get Your Apps On F-Droid

[Anonymous Coward]

There's at least two orders of magnitude more malware on a per-app basis at Google Play than at F-Droid.

Re:

[TheFakeTimCook]

There's at least two orders of magnitude more malware on a per-app basis at Google Play than at F-Droid.

And about Infinity-times more than on the Apple App Store.

Re:

[TheFakeTimCook]

Yes, but the Apple App store does not distribute apps that will run on any of my equipment.

Sounds like you have the wrong equipment.

Re: run a hash on the APK

[Bing Tsher E]

If you're not logged in under it, it's not your name.

That's Google!

[Chas]

Great ideas falling from their ears.

And SHIT IMPLEMENTATION WITH NO SUPPORT.