Security experts have repeated warnings about malicious applications hiding on official mobile app stores after finding dozens of them on Google Play.
Bitdefender said it identified 35 in total by using behavioral analysis technology to scan the marketplace. They totaled over two million downloads.
The apps perform various malicious activities to achieve persistence on the user’s device and bombard them with advertising, but could also be a conduit for malware, Bitdefender warned.
“Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims,” it said.
“Most of the time, users can choose to delete the application if they don't like it. But these new malicious apps trick victims into installing them, only to change their name and icons and even take some extra steps to conceal their presence on the device. Users can still delete them at will, but the developers make it more difficult to find them on the affected devices.”
A “GPS Location Maps” app was the most popular of the bunch, garnering over 100,000 downloads but no reviews.
Immediately after downloading, it apparently changes its label from “GPS Location Maps” to “Settings,” and also changes its icon, making it more difficult for users to find and uninstall it.
Then developer also used heavily obfuscated code and encryption to make reverse engineering more challenging for researchers, Bitdefender claimed.
Other techniques observed by the researchers to hide the adware include ensuring the apps don't show in the list of those most recently used on Android. Some apps also request permission to bypass the battery optimization feature so they don’t automatically get shut down by the OS, the report noted.
Although the official developer names linked to these 35 apps are all different, Bitdefender noticed that the email addresses and websites associated with them appear similar, indicating they’re the work of a single entity or individual.
The vendor urged user caution, even on official marketplaces, and particularly regarding apps with large download figures but few reviews or ones that request excessive permissions.
“While official stores are usually very good at weeding malicious or dangerous applications out, some history shows that a small number of bad apps manage to get through and make victims until they get reported,” it concluded.
“Just because we download an app from the official store doesn't mean it will be safe.”