Android Scammers Try New Tactics

John Lister's picture

Google has cracked down on a key method that scammers used to distribute Android malware through the Play app store. But like a game of whack-a-mole, the scammers are adjusting their tactics for greater success.

The Google change is to the way it handles accessibility tools on Android devices. These include screen-readers, voice input systems and other modifications for users to interact with the device.

Such tools often need access to key components such as the camera, microphone or speakers, access that can be abused by malware. Google relaxes the security and permissions system on such apps to avoid deterring people from developing and releasing them but had found scammers exploiting this leeway by mislabeling rogue apps.

As a result, Google will now only allow apps to qualify for the special access when their stated purpose is directly related to an accessibility issue. That doesn't necessarily stop scammers developing a bogus accessibility app that's actually designed to spread malware. It may discourage them simply because such apps may attract a smaller audience and thus lower potential victims. (Source: google.com)

Scammers Switch Course

Unfortunately security company ThreatFabric believes scammers have responded by switching back to (and refining) an older tactic: releasing harmless apps and then gradually asking for more permissions over time before taking advantage of the additional access to software and components. It's a tactic known as a dropper app and often works because the initial version of the app looks harmless to Google's automated security checks.

One of the big problems for scammers is persuading victims to give permission to install updates and other software from untrusted sources: in other words, not from Google Play. ThreatFabric has noted a big push to finding ways to make this request seem harmless and legitimate. (Source: threatfabric.com)

New Workout Routines Bring Danger

For example, a supposed gym and fitness trainer app disguises the request as the user giving the go-ahead to download new workout routines.

The scammers also appear to be using filters so that they only attempt to install the malware on particular models of phone or after a particular amount of time has passed since the original installation. In both cases the goal appears to be to avoid showing up when Google runs checks on recently-released apps to make sure they haven't changed since getting approval.

It also seems the scammers are using location filtering to only install the malware in particular areas of the world at any given time. That's likely because they are planning to target victims with fake login pages for banks in their area to try to capture security details and passwords.

What's Your Opinion?

How much trust do you place in Google's app vetting? Have you noticed apps asking for new permissions some time after you first use them? Do you ever install Android apps from third-party sources rather than the Play Store?

Rate this article: 
Average: 5 (6 votes)