CepKutusu, a Turkish alternative Android app store, was found to be 100% infested with malware—where every single app delivered malicious code.
ESET researchers discovered that when users browsed the store and proceeded to download an app, the “download now” button led to banking malware instead of the desired app. The remotely controlled malware is capable of intercepting and sending SMS messages, displaying fake activity, and downloading and installing other apps.
However, the crooks behind the campaign added an exception.
“Probably to increase their chances to stay under the radar longer, they introduced a seven-day window of not serving malware after a malicious download,” the firm said, in an analysis. “In practice, after the user downloads the infected app, a cookie is set to prevent the malicious system from prevailing, leading to the user being served clean links for the next seven days. After this period passes, the user gets redirected to the malware once they try to download any application from the store.”
Despite this crafty trick, once redirected, the sophistication stops there. The redirection sends users not to a reasonable facsimile of the legit app, but rather Flash Player—hardly a brilliant disguise.
Lukáš Štefanko, a malware researcher at ESET, said that the effort was probably a test drive for something bigger.
“This is the first time I’ve seen an entire Android market infected like that. Within the Windows ecosystem and in browsers, this technique is known to have been used for some time. In the Android ecosystem, however, it’s really a new attack vector,” he explained. “[However], the crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam…it was probably a test.”
While this particular threat was neutralized once the store was notified, he added that the bad guys could easily up their game.
“I can imagine a scenario in which the crooks who control the store’s back end append a malicious functionality to each of the apps in the store,” Štefanko said. “Serving those interested in a particular game with a trojanized version of that game – that would remove the biggest red flag and the number of victims might rise significantly.”