More than half a million users have installed Android malware posing as driving games — from Google’s own app store.
Lukas Stefanko, a security researcher at ESET, tweeted details of 13 gaming apps — made by the same developer — which were at the time of his tweet downloadable from Google Play. Two of the apps were trending on the store, he said, giving the apps greater visibility.
Combined, the apps surpassed 580,000 installs before Google pulled the plug.
Anyone downloading the apps were expecting a truck or car driving game. Instead, they got what appeared to be a buggy app that crashed every time it opened.
In reality, the app was downloading a payload from another domain — registered to an app developer in Istanbul — and installed malware behind the scenes, deleting the app’s icon in the process. It’s not clear exactly what the malicious apps do; none of the malware scanners seemed to agree on what the malware does, based on an uploaded sample to VirusTotal. What is clear is that the malware has persistence — launching every time the Android phone or tablet is started up, and has “full access” to its network traffic, which the malware author can use to steal secrets.
We reached out to the Istanbul-based domain owner, Mert Ozek, but he did not respond to our email. (If that changes, we’ll update).
It’s another embarrassing security lapse by Google, which has long faced criticism for its backseat approach to app and mobile security compared to Apple, which some say is far too restrictive and selective about which apps make it into its walled garden.
Google has spent years trying to double down on Android security by including better security features and more granular app permission controls. But the company continues to battle rogue and malicious apps in the Google Play app store, which have taken over as one of the greatest threats to Android user security. Google pulled more than 700,000 malicious apps from its app store last year alone, and has tried to improve its back-end to prevent malicious apps from getting into the store in the first place.
And yet — clearly — that isn’t enough.
When reached, a Google spokesperson did not immediately comment.