Your Android Phone may be Infected if these Google Play Store Applications were Installed

1

Google’s Play store is a home to many applications, some of which are developed to secure our lives, while others are there to make our lives miserable. A few such applications were specifically designed by the Hackers for Travellers, seeking embassy information limited to a few European countries. However, the malicious programs collected specific data that included device information, root data, location history and information, and contact details along with the targets emails, all of which were reported by Lookout’s Security & Information department.

Image Source: Lookout – A screen shot of the malicious application Embassy on Google Play Store.

The company labelled its newly discovered malware as the ‘Overseer’ and stated that they discovered it in fake applications mid this year. After completing its report, the company informed Google about their discovery, which resulted in the removal of the applications from Google Play Store.

The shocking discovery suggests that the applications were downloaded more than five thousand times, from Google Play. The names of the malicious applications that were removed by Google showing the same activity are:

  • Embassy;
  • Russian News;
  • European News;
  • Горячие Новости (an application in The Russian language, using Cyrillic script).

According to Michael Flossman, a specialist at Lookout, he stated that the Embassy app was designed to provide users with addresses and other information related to embassies in the European continent, however, when the application was tested, it didn’t provide details of the embassies, but rather, the server to which all of the information was to be sent, was active. After conducting further research on the servers themselves, Michael and his team discovered that the servers were Facebook’s parse server machines, hosted by Amazon. Since the services are being provided by Amazon and Facebook, this gives the spyware an edge – using HTTPS and C&C features – and ultimately, hiding its traffic. This can bring about a challenge amongst the standard online intrusion detection system.

Image Source: Lookout – A screenshot of the code analysis.

Once the Trojan malware is on the targeted cell phone, it can then run a scan to detect what additional programs it needed to download, in order for the hacker to gain full control of the device.

According to Michael, the technique used by the hacker to disguise the malware in Google Play Store was simply because of the HTTPS and C&C connections he/she used, and made the applications appear to be genuine software by using Facebook’s parse server.

Image Source: Lookout – A screen shot of the malicious Europe News application from Google Play Store with a 4.0 rating.

Even though Google has its own detection system, and they do a great job in finding such malicious applications on the Google Play Store, everything has a vulnerability. So too, does the Google’s malicious application detecting system(s), which can always give a red application a green signal on their Play Store – in this case being those four applications.

However, researchers at Lookout stated that Overseer couldn’t find any activity in return, while monitoring the code. This leade them to believe that the reason why nothing has happened yet is because of two things: The hackers who designed this malicious program might activate it in the future, and since the malware reads the GPS information and other related information, allowing the malware to identify the location of the device – this may be the reason why there was no activity.

Source: Lookout

You want to support Anonymous Independent & Investigative News? Please, follow us on Twitter:


This article (Your Android Phone may be Infected if these Google Play Store Applications were Installed) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.com.

CLICK HERE TO SUPPORT US VIA PATREON

Get Your Anonymous T-Shirt / Sweatshirt / Hoodie / Tanktop, Smartphone or Tablet Cover or Mug In Our Spreadshirt Shop! Click Here

 

1 COMMENT

  1. “After conducting further research on the servers themselves, Michael and his team discovered that the servers were Facebook’s parse server machines, hosted by Amazon. Since the services are being provided by Amazon and Facebook, this gives the spyware an edge – using HTTPS and C&C features – and ultimately, hiding its traffic. This can bring about a challenge amongst the standard online intrusion detection system.”

    That is an interesting tidbit right there, considering that the CIA publicly announced it was putting a presence on Amazon’s cloud server last year. We can guess who is controlling this op.

LEAVE A REPLY

Please enter your comment!
Please enter your name here