In recent developments, threat actors are using a technique known as "versioning" to evade Google Play Store's malware detection mechanisms, posing a significant risk to Android users. This method allows them to specifically target users and compromise their sensitive information, including credentials, data, and finances. Despite being a known tactic, versioning remains challenging to detect, making it a preferred choice for malicious developers.
In May, cybersecurity firm ESET uncovered a screen recording app called "iRecorder - Screen Recorder." Surprisingly, the app remained undetected for almost a year on the Play Store before malicious modifications were made to enable covert spying on its users.
SharkBot, a notorious malware utilizing the DCL method, has been consistently resurfacing on the Play Store. This malware disguises itself as security and utility apps to deceive users.
Operating as a financial trojan, SharkBot executes unauthorized money transfers from compromised devices through the Automated Transfer Service (ATS) protocol.
Here's how the versioning technique works:
Innocent-looking Initial Release: Malicious developers begin by releasing an app's initial version on the Google Play Store, which appears harmless and successfully passes Google's pre-publication security checks. This initial version is designed to avoid detection by security measures.
Introduction of Malicious Components: Subsequently, the developers push updates to the app. These updates introduce malicious components into the seemingly harmless app. These malicious components are cleverly hidden, allowing the initial version to pass the security checks while carrying hidden threats.
Attackers' Controlled Servers: The updates containing the harmful code are delivered to users' devices from servers controlled by the attackers. These servers enable the attackers to dynamically load code (Dynamic Code Loading or DCL) onto the devices without raising any suspicion.
App as a Backdoor: As a result of the malicious updates, the app effectively becomes a dangerous backdoor on the compromised devices. This grants the attackers unauthorized access and control over the compromised devices, enabling them to exploit sensitive information, compromise security, and carry out further malicious activities.
According to a report from ThreatFabric, cybercriminals have been exploiting an Android bug to make malicious apps appear harmless. They achieve this by "corrupting components of an app" in a way that the app remains valid as a whole. This allows malicious apps to bypass detection and pose a threat to unsuspecting users.