The Google Play perils are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.
Throughout most of her life, CamScanner was a legitimate application that provided useful features for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.
Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what is known as a “Trojan dropper,” meaning it was regularly downloaded encrypted code from a developer-designated server at https: //abc.abcdserver [.] com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever developers wanted at any time. The researchers said they had previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that were pre-installed on some phones sold in China.
“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of malware: download and launch a payload from malicious servers, ”a separate post from Kaspersky Lab explained. “As a result, module owners can use an infected device to their advantage in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by paying paid subscriptions.”
The incident underscores the challenge Android users face when looking for useful apps. Google scanners are unable to catch anything, especially when developers sneak malicious or unethical code into apps that have already passed initial inspections. The result: no easy way to be sure an app is safe. This reality is disappointing because Google has made real strides in securing more recent versions of Android.
One way to vet apps is to read reviews left by other users. Kaspersky Lab researchers said negative feedback left over the past month “indicated the presence of unwanted features” in CamScanner. And of course, people should always scrutinize the permissions an app requires. Access to the microphone, camera, contacts, location data, or the phone app can often telltale signs something is wrong, but not always. Often apps need this access for legitimate reasons. CamScanner, for instance, would obviously need access to the camera to work as advertised. Seeking out apps from known developers, when possible, can often be helpful.
Ultimately, the best strategy is to install only the apps that are truly useful and to uninstall apps that have been used in a while. The practicality and effectiveness of this guidance is by no means ideal, but unfortunately the current state of security for Android apps.