New Trojanized Android App Found on Google Play
A new Trojanized app, with more than 5,000 installs, has been found in the Google Play store.
Malware researcher Lukas Stefanko has found this malicious app, an Android call recording application which comes with a malicious code that’s designed as a malware dropper. This application, the ‘Simple Call Recorder’ app published by FreshApps Group, has been available on Google Play for almost one year now.
In a blog post dated November 12, 2018, Lukas Stefanko writes, “I found a Trojan on Play Store available for download almost for a year. Its malicious functionality was hidden inside “Simple Call Recorder” application published by “FreshApps Group”. The main purpose was to download an additional app and trick the user into installing it as Flash Player Update. Simple Call Recorder was uploaded on Google Play on November 30, 2017 and when I reported this app to Google Security team, the app had over 5,000 installs.”
As Stefanko explains, the app, on the apparent level, is just a functional call recorder, but it has another hidden purpose as well. It causes the download of a malicious app, which the user is tricked into installing as Flash Player Update. Stefanko also clarifies that this functionality, of downloading another app, is not an integral part of the call recorder app. It is added by the hacker.
A report on Softpedia News explains how the malicious app works; the report states, “The malicious app tries to compromise the device it is installed on by decrypting a binary file which it loads from its assets, dynamically loading it, and subsequently asking the user to install a fake flash updater from http://adsmserver[.]club/up/update.apk (the installer is now removed and redirects to Google’s AdMob.)”
Stefanko reveals that the malware payload was no longer available and hence it was not possible to find out what it was used for. The app was removed from the server after 11 months. Stefanko’s blog post reads, “There is one downside, I could not retrieve the app through the link that is hard-coded into the APK. It is likely that the app has already been removed from the server after being available for download for over 11 months. At the time of writing, the attacker’s server was still up but his registered domain will soon expire unless extended.”
The threat actors had used the malicious call recording app as a malware dropper for almost a year. Lukas Stefanko explains how the call recorder functionality was made use of by the attackers. He writes, “The call recording functionality inside this Trojan was uploaded on Google Play in 2016 in two different apps. However, these two apps didn’t contain malicious functionality. Most likely, the attacker found one of these apps on an alternative source – maybe even open source code on GitHub – and stole the call recording functionality. Then he implemented the malicious code and uploaded it on the Play Store.”
Stefanko, who had in September discovered a banking Trojan camouflaged as a legitimate phone call recording Android app and who had also unearthed 29 other infected Android apps from August till earlier October this year, further states, “Simple Call Recorder lasted on the Google Play almost for a year, which is really a long time before being removed, if we consider that the app contained flashplayer_update.apk string inside. Even though I could not retrieve the downloaded application, this functionality is still – based on Google Play policy explicitly prohibited.”
Based on his experience as a researcher, Stefanko warns users that whenever an Android application mimics or downloads Flash Player, it’s most likely to be malicious.