Fraudulent Android app developers have been found to attempt to tamper with Google's Play Store security by removing suspicious code before adding it back to determine which systems trigger detection systems.
The behavior was noticed by security company White Ops in two previously fraudulent apps, which raises an interesting question: If a fraudulent app developer disables the part of an app that makes their behavior fraudulent, is that app still a scam app?
The apps were among a small selection of 38 beauty-themed apps that the company had discovered by the same developer and that Google reported for bombarding users with unwanted ads.
Not only did the apps show non-contextual ads at every opportunity, they also sent users to websites and made it difficult to uninstall the apps using techniques such as hiding icons on the home screen and in the apps folder.
But how did the apps get there?
This has become a problem for the Google security team in recent years. A security provider or researcher discovers that multiple apps in the Play Store do something bad, informs Google that the apps will eventually be removed after it is confirmed that they are malicious.
Of course, uploaded apps are monitored by Google's automated security checks before they are accepted. However, this system can be bypassed, as confirmed by the steady but unchecked stream of erroneous app discoveries.
It is not as difficult to beat detection systems as it should be. Malicious developers have a number of techniques, such as binary packing and even Arabic Unicode, to hide malicious code in a way that is difficult to detect without having to use people to view and update each app.
Sometimes apps contain no fraudulent code at all and simply use Google licensing gaps to sometimes do unheard-of things, e.g. B. bill users for hundreds of dollars to continue using them.
The bigger mistake here is not that apps can get to the Play Store, but how long they stay there.
In this case, Google took an average of 17 days to remove apps, with at least one remaining three months in the Play Store. It doesn't take long until you hear this:
Even with an average time of less than three weeks in the Play Store, the apps found a target group: The average number of installations for the apps we analyzed was 565,833.
Then the developer unexpectedly updated two apps that contained malicious code, so most of the problem behavior was disabled.
This is deactivated, not removed – the change was simply made with a command and control function (C2), whereby the problem code remained intact, but was still in the apps.
According to White Ops, the two optimized apps may be an attempt to find out what criteria Google systems use to recognize that apps are fraudulent.
In this scenario, the apps may be updated multiple times, each activating a different part of the malicious behavior until Google detects its malicious intent.
Google has turned off the apps discovered by White Ops in 2019, but it's hard not to give the impression that Google's ongoing struggle against banishing bad apps is facing a fight.