According to Bleeping Computer, security researchers who track the mobile app ecosystem have noticed a recent surge in Trojan penetration on the Google Play Store, with one of the apps downloaded and installed more than 500,000 times.
These findings come from Dr. Web, in a survey launched in January, which found that most of these apps are fraudulent malware, often resulting in financial losses to users and the disclosure of sensitive personal information.
Malicious applications discovered by Analysts at Dr. Web on Google Play include cryptocurrency hypervisors, social welfare relief tools, photo editors, IOS15-themed launchers, and clones of Gasprom’s investment software. For fake investment apps, the victim is usually prompted to create a new account and deposit funds for trading, but these funds are simply transferred to the scammer’s bank account. Other apps try to trick users into signing up for expensive subscriptions.
Fake Gasprom investment software
Currently, most of the apps reported by Dr. Web have been removed from the Google Play Store, but Blending Computer has still found a malicious app that has not been cleaned up, such as the navigation software Top Navigation, which has been downloaded and installed more than 500,000 times. Following a review of the app’s developer, Tsaregorotseva, Bleeping Computer discovered a second malicious app, Advanced Photo Power, which was downloaded more than 100,000 times.
Malicious navigation application Top Navigation
Malicious application Advice Photo Power
Negative user reviews under the app reveal tactics similar to subscription scams, tricking victims into entering their phone numbers, loading affiliate service websites, and enabling paid subscriptions through Wap Click technology.
According to Dr. The web reported that the main threats discovered since January are Trojanized versions of unofficial WhatsApp modules called GBWhatsApp, OBWhatsApp or WhatsApp Plus, which offer Arabic language support, home screen widgets, separate back bars, hidden status options, call blocking, and auto-save of received media, which are favored by many users. But in these Trojanized versions, bundled malware attempts to get notifications from Google Play App Store and Samsung Galaxy App Store programs through the Flurry stat service.
In addition, in the study of OBWhatsApp, the Trojan downloaded an additional APK from the URL received by the command and control server and asked the user to install it under the guise of an OBWhatsApp update, which was used to display a dialog box at will, characterized by dynamic settings and remotely updated content, allowing the attacker to redirect the user to a malicious website.
How to stay away from these apps? The first thing to do is to avoid downloading APK from unknown sources, and check user reviews, carefully checking permission requests when installing. In addition, in later use, pay attention to checking the battery and Internet data to see if there is abnormal consumption.
Also, make sure to check the status of Google Play Protect regularly and add a second layer of protection by using mobile security tools from well-known vendors.